From d2561588ea0e40451d2aeadc05b9fac9a47daa1a Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Fri, 30 Aug 2019 21:32:40 +0300 Subject: [PATCH 1/5] SIEM connector: change alert notion to Detection --- windows/security/threat-protection/TOC.md | 15 +-- .../api-portal-mapping.md | 70 +++++----- .../configure-arcsight.md | 20 +-- .../microsoft-defender-atp/configure-siem.md | 35 ++--- .../configure-splunk.md | 24 ++-- .../enable-siem-integration.md | 22 ++-- .../get-ip-related-machines.md | 122 ------------------ .../is-domain-seen-in-org.md | 82 ------------ .../microsoft-defender-atp/is-ip-seen-org.md | 82 ------------ .../microsoft-defender-atp/oldTOC.txt | 15 +-- .../pull-alerts-using-rest-api.md | 48 +++---- .../troubleshoot-siem.md | 10 +- 12 files changed, 139 insertions(+), 406 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 03328a26ed..75a0d95d54 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -398,7 +398,6 @@ ####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md) ####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md) ####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md) -####### [Is domain seen in organization (Deprecated)](microsoft-defender-atp/is-domain-seen-in-org.md) ###### [File]() ####### [File methods and properties](microsoft-defender-atp/files.md) @@ -409,9 +408,7 @@ ###### [IP]() ####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md) -####### [Get IP related machines (Deprecated)](microsoft-defender-atp/get-ip-related-machines.md) ####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md) -####### [Is IP seen in organization (Deprecated)](microsoft-defender-atp/is-ip-seen-org.md) ###### [User]() ####### [User methods](microsoft-defender-atp/user.md) @@ -440,13 +437,13 @@ ##### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md) ##### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md) -#### [Pull alerts to your SIEM tools]() -##### [Learn about different ways to pull alerts](microsoft-defender-atp/configure-siem.md) +#### [Pull Detections to your SIEM tools]() +##### [Learn about different ways to pull Detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) -##### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk.md) -##### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight.md) -##### [Microsoft Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping.md) -##### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) +##### [Configure Splunk to pull Detections](microsoft-defender-atp/configure-splunk.md) +##### [Configure HP ArcSight to pull Detections](microsoft-defender-atp/configure-arcsight.md) +##### [Microsoft Defender ATP Detection fields](microsoft-defender-atp/api-portal-mapping.md) +##### [Pull Detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) #### [Reporting]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 9706e81443..da3c3c1da2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -1,7 +1,7 @@ --- -title: Microsoft Defender ATP alert API fields -description: Understand how the alert API fields map to the values in Microsoft Defender Security Center -keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response +title: Microsoft Defender ATP Detections API fields +description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center +keywords: Detections, Detections fields, fields, api, fields, pull Detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/16/2017 --- -# Microsoft Defender ATP SIEM alert API fields +# Microsoft Defender ATP Detections API fields **Applies to:** @@ -26,10 +26,14 @@ ms.date: 10/16/2017 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) -Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. +Understand what data fields are exposed as part of the Detections API and how they map to Microsoft Defender Security Center. -## Alert API fields and portal mapping -The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. +>[!Note] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details. + +## Detections API fields and portal mapping +The following table lists the available fields exposed in the Detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). @@ -39,33 +43,33 @@ Field numbers match the numbers in the images below. > > | Portal label | SIEM field name | ArcSight field | Example value | Description | > |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every alert. | -> | 2 | Severity | deviceSeverity | High | Value available for every alert. | -> | 3 | Category | deviceEventCategory | Malware | Value available for every alert. | -> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. | -> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every alert. | -> | 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. | -> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. | -> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. | -> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. | -> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for alerts associated with a file or process. | -> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV alerts. | -> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV alerts. | -> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV alerts. | -> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. | -> | 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. | -> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. | -> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. | -> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. | -> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. | -> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. | -> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. | +> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. | +> | 2 | Severity | deviceSeverity | High | Value available for every Detection. | +> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. | +> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. | +> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. | +> | 6 | FileName | fileName | Robocopy.exe | Available for Detections associated with a file or process. | +> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for Detections associated with a file or process. | +> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based Detections. | +> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based Detections. | +> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for Detections associated with a file or process. | +> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV Detections. | +> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV Detections. | +> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV Detections. | +> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for Detections associated to network events. For example, 'Communication to a malicious network destination'. | +> | 15 | Url | requestUrl | down.esales360.cn | Available for Detections associated to network events. For example, 'Communication to a malicious network destination'. | +> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV Detections. ArcSight value is 1 when TRUE and 0 when FALSE. | +> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV Detections. ArcSight value is 1 when TRUE and 0 when FALSE. | +> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. | +> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. | +> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. | +> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every Detection. | > | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. | -> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. | +> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every Detection. | > | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | -> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. | +> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that Detections are retrieved. | > | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | > | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. | > | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions. @@ -88,7 +92,7 @@ Field numbers match the numbers in the images below. ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) -- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) -- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) +- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) +- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) +- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 22c9359f44..ef25a343c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -1,6 +1,6 @@ --- -title: Configure HP ArcSight to pull Microsoft Defender ATP alerts -description: Configure HP ArcSight to receive and pull alerts from Microsoft Defender Security Center +title: Configure HP ArcSight to pull Microsoft Defender ATP Detections +description: Configure HP ArcSight to receive and pull Detections from Microsoft Defender Security Center keywords: configure hp arcsight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 12/20/2018 --- -# Configure HP ArcSight to pull Microsoft Defender ATP alerts +# Configure HP ArcSight to pull Microsoft Defender ATP Detections **Applies to:** @@ -29,10 +29,14 @@ ms.date: 12/20/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP alerts. +You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP Detections. + +>[!Note] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin -Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application. +Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse Detections from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. @@ -163,7 +167,7 @@ The following steps assume that you have completed all the required steps in [Be You can now run queries in the HP ArcSight console. -Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. +Microsoft Defender ATP Detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. ## Troubleshooting HP ArcSight connection @@ -187,6 +191,6 @@ Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft” ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) -- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) +- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) +- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index c5e8719018..5fe5d31642 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -1,6 +1,6 @@ --- -title: Pull alerts to your SIEM tools from Microsoft Defender Advanced Threat Protection -description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts. +title: Pull Detections to your SIEM tools from Microsoft Defender Advanced Threat Protection +description: Learn how to use REST API and configure supported security information and events management tools to receive and pull Detections. keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/16/2017 --- -# Pull alerts to your SIEM tools +# Pull Detections to your SIEM tools **Applies to:** @@ -26,8 +26,13 @@ ms.date: 10/16/2017 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) -## Pull alerts using security information and events management (SIEM) tools -Microsoft Defender ATP supports (SIEM) tools to pull alerts. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. +## Pull Detections using security information and events management (SIEM) tools + +>[!Note] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. + +Microsoft Defender ATP supports (SIEM) tools to pull Detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull Detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. Microsoft Defender ATP currently supports the following SIEM tools: @@ -39,16 +44,16 @@ To use either of these supported SIEM tools you'll need to: - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - Configure the supported SIEM tool: - - [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) - - [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) + - [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) + - [Configure HP ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) -For more information on the list of fields exposed in the alerts API see, [Microsoft Defender ATP alert API fields](api-portal-mapping.md). +For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md). -## Pull Microsoft Defender ATP alerts using REST API -Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API. +## Pull Microsoft Defender ATP Detections using REST API +Microsoft Defender ATP supports the OAuth 2.0 protocol to pull Detections using REST API. -For more information, see [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md). +For more information, see [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md). ## In this section @@ -56,8 +61,8 @@ For more information, see [Pull Microsoft Defender ATP alerts using REST API](pu Topic | Description :---|:--- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. -[Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Microsoft Defender ATP alerts. -[Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP alerts. -[Microsoft Defender ATP alert API fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. -[Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Microsoft Defender ATP using REST API. +[Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP Detections. +[Configure HP ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP Detections. +[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. +[Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull Detections from Microsoft Defender ATP using REST API. [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md index 13cf662e66..ca4a9972c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md @@ -1,6 +1,6 @@ --- -title: Configure Splunk to pull Microsoft Defender ATP alerts -description: Configure Splunk to receive and pull alerts from Microsoft Defender Security Center. +title: Configure Splunk to pull Microsoft Defender ATP Detections +description: Configure Splunk to receive and pull Detections from Microsoft Defender Security Center. keywords: configure splunk, security information and events management tools, splunk search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure Splunk to pull Microsoft Defender ATP alerts +# Configure Splunk to pull Microsoft Defender ATP Detections **Applies to:** @@ -28,7 +28,11 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) -You'll need to configure Splunk so that it can pull Microsoft Defender ATP alerts. +You'll need to configure Splunk so that it can pull Microsoft Defender ATP Detections. + +>[!Note] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin @@ -121,8 +125,8 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert After completing these configuration steps, you can go to the Splunk dashboard and run queries. -## View alerts using Splunk solution explorer -Use the solution explorer to view alerts in Splunk. +## View Detections using Splunk solution explorer +Use the solution explorer to view Detections in Splunk. 1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**. @@ -141,12 +145,12 @@ Use the solution explorer to view alerts in Splunk. >[!TIP] -> To mininimize alert duplications, you can use the following query: +> To mininimize Detection duplications, you can use the following query: >```source="rest://windows atp alerts" | spath | dedup _raw | table *``` ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) -- [Microsoft Defender ATP alert API fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) +- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) +- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) +- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index 2c9fa62654..26fb69ca84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -1,6 +1,6 @@ --- title: Enable SIEM integration in Microsoft Defender ATP -description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution. +description: Enable SIEM integration to receive Detections in your security information and event management (SIEM) solution. keywords: enable siem connector, siem, connector, security information and events search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -26,7 +26,11 @@ ms.date: 12/10/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) -Enable security information and event management (SIEM) integration so you can pull alerts from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API. +Enable security information and event management (SIEM) integration so you can pull Detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the Detections REST API. + +>[!Note] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Prerequisites - The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. @@ -55,7 +59,7 @@ Enable security information and event management (SIEM) integration so you can p > - WDATP-connector.jsonparser.properties > - WDATP-connector.properties
- If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**. + If you want to connect directly to the Detections REST API through programmatic access, choose **Generic API**. 4. Copy the individual values or select **Save details to file** to download a file that contains all the values. @@ -64,14 +68,14 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. -You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Microsoft Defender Security Center. +You can now proceed with configuring your SIEM solution or connecting to the Detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive Detections from Microsoft Defender Security Center. ## Integrate Microsoft Defender ATP with IBM QRadar -You can configure IBM QRadar to collect alerts from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). +You can configure IBM QRadar to collect Detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics -- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) -- [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) -- [Microsoft Defender ATP alert API fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) +- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) +- [Configure HP ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) +- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) +- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md deleted file mode 100644 index c247c9aa81..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: Get IP related machines API -description: Retrieves a collection of machines related to a given IP address. -keywords: apis, graph api, supported apis, get, ip, related, machines -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Get IP related machines API (Deprecated) - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Retrieves a collection of machines that communicated with or from a particular IP. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Machine.Read.All | 'Read all machine profiles' -Application | Machine.ReadWrite.All | 'Read and write all machine information' -Delegated (work or school account) | Machine.Read | 'Read machine information' -Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' - ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) - -## HTTP request -``` -GET /api/ips/{ip}/machines -``` - -## Request headers - -Name | Type | Description -:---|:---|:--- -Authorization | String | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful and IP exists - 200 OK with list of [machine](machine.md) entities in the body. If IP do not exist - 404 Not Found. - - -## Example - -**Request** - -Here is an example of the request. - -[!include[Improve request performance](improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", - "value": [ - { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "agentVersion": "10.5830.18209.1001", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, - "riskScore": "Low", - "rbacGroupName": "The-A-Team", - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] - }, - { - "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", - "computerDnsName": "mymachine2.contoso.com", - "firstSeen": "2018-07-09T13:22:45.1250071Z", - "lastSeen": "2018-07-09T13:22:45.1250071Z", - "osPlatform": "Windows10", - "osVersion": "10.0.0.0", - "lastIpAddress": "192.168.12.225", - "lastExternalIpAddress": "79.183.65.82", - "agentVersion": "10.5820.17724.1000", - "osBuild": 17724, - "healthStatus": "Inactive", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "aadDeviceId": null, - "machineTags": [ "test tag 1" ] - } - ] -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md deleted file mode 100644 index 38debbe291..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Is domain seen in org API -description: Use this API to create calls related to checking whether a domain was seen in the organization. -keywords: apis, graph api, supported apis, domain, domain seen -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Was domain seen in org (Deprecated) - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Answers whether a domain was seen in the organization. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Url.Read.All | 'Read URLs' -Delegated (work or school account) | URL.Read.All | 'Read URLs' - ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) - -## HTTP request -``` -GET /api/domains/{domain} -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found. - -## Example - -**Request** - -Here is an example of the request. - -[!include[Improve request performance](improve-request-performance.md)] - -``` -GET https://api.securitycenter.windows.com/api/domains/example.com -Content-type: application/json -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity", - "host": "example.com" -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md b/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md deleted file mode 100644 index f112796be2..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md +++ /dev/null @@ -1,82 +0,0 @@ ---- -title: Is IP seen in org API -description: Answers whether an IP was seen in the organization. -keywords: apis, graph api, supported apis, is, ip, seen, org, organization -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Was IP seen in org (Deprecated) - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Answers whether an IP was seen in the organization. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Ip.Read.All | 'Read IP address profiles' -Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' - ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) - -## HTTP request -``` -GET /api/ips/{ip} -``` - -## Request headers - -Name | Type | Description -:---|:---|:--- -Authorization | String | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found. - - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://api.securitycenter.windows.com/api/ips/10.209.67.177 -``` - -**Response** - -Here is an example of the response. - -[!include[Improve request performance](improve-request-performance.md)] - - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity", - "id": "10.209.67.177" -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt index f06995f573..9dd1998f62 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt @@ -392,7 +392,6 @@ ####### [Get domain related alerts](get-domain-related-alerts.md) ####### [Get domain related machines](get-domain-related-machines.md) ####### [Get domain statistics](get-domain-statistics.md) -####### [Is domain seen in organization (Deprecated)](is-domain-seen-in-org.md) ###### [File]() ####### [Methods and properties](files.md) @@ -403,9 +402,7 @@ ###### [IP]() ####### [Get IP related alerts](get-ip-related-alerts.md) -####### [Get IP related machines (Deprecated)](get-ip-related-machines.md) ####### [Get IP statistics](get-ip-statistics.md) -####### [Is IP seen in organization (Deprecated)](is-ip-seen-org.md) ###### [User]() ####### [Methods](user.md) @@ -428,13 +425,13 @@ ##### [Experiment with custom threat intelligence alerts](experiment-custom-ti.md) ##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md) -#### [Pull alerts to your SIEM tools]() -##### [Learn about different ways to pull alerts](configure-siem.md) +#### [Pull Detections to your SIEM tools]() +##### [Learn about different ways to pull Detections](configure-siem.md) ##### [Enable SIEM integration](enable-siem-integration.md) -##### [Configure Splunk to pull alerts](configure-splunk.md) -##### [Configure HP ArcSight to pull alerts](configure-arcsight.md) -##### [Microsoft Defender ATP SIEM alert API fields](api-portal-mapping.md) -##### [Pull alerts using SIEM REST API](pull-alerts-using-rest-api.md) +##### [Configure Splunk to pull Detections](configure-splunk.md) +##### [Configure HP ArcSight to pull Detections](configure-arcsight.md) +##### [Microsoft Defender ATP Detection fields](api-portal-mapping.md) +##### [Pull Detections using SIEM REST API](pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) #### [Reporting]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index abf6c2fb00..b1efc09ba1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -1,7 +1,7 @@ --- -title: Pull Microsoft Defender ATP alerts using REST API -description: Pull alerts from Microsoft Defender ATP REST API. -keywords: alerts, pull alerts, rest api, request, response +title: Pull Microsoft Defender ATP Detections using REST API +description: Pull Detections from Microsoft Defender ATP REST API. +keywords: Detections, pull Detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Pull Microsoft Defender ATP alerts using SIEM REST API +# Pull Microsoft Defender ATP Detections using SIEM REST API **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -26,7 +26,11 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) -Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal. +>[!Note] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. + +Microsoft Defender ATP supports the OAuth 2.0 protocol to pull Detections from the API. In general, the OAuth 2.0 protocol supports four types of flows: - Authorization grant flow @@ -36,19 +40,19 @@ In general, the OAuth 2.0 protocol supports four types of flows: For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net). -Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server. +Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull Detections, with Azure Active Directory (AAD) as the authorization server. The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token. The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials. -Use the following method in the Microsoft Defender ATP API to pull alerts in JSON format. +Use the following method in the Microsoft Defender ATP API to pull Detections in JSON format. >[!NOTE] >Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering. ## Before you begin -- Before calling the Microsoft Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). +- Before calling the Microsoft Defender ATP endpoint to pull Detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). - Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app: - Application ID (unique to your application) @@ -59,7 +63,7 @@ Use the following method in the Microsoft Defender ATP API to pull alerts in JSO ## Get an access token Before creating calls to the endpoint, you'll need to get an access token. -You'll use the access token to access the protected resource, which are alerts in Microsoft Defender ATP. +You'll use the access token to access the protected resource, which are Detections in Microsoft Defender ATP. To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: @@ -105,23 +109,23 @@ Use optional query parameters to specify and control the amount of data returned Name | Value| Description :---|:---|:--- -DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.

**NOTE**: When not specified, all alerts generated in the last two hours are retrieved. -DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

**NOTE**: When not specified, the default value will be the current time. -string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. -int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

**NOTE**: When not specified, all alerts available in the time range will be retrieved. -machinegroups | String | Specifies machine groups to pull alerts from.

**NOTE**: When not specified, alerts from all machine groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` +DateTime?sinceTimeUtc | string | Defines the lower time bound Detections are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.

**NOTE**: When not specified, all Detections generated in the last two hours are retrieved. +DateTime?untilTimeUtc | string | Defines the upper time bound Detections are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

**NOTE**: When not specified, the default value will be the current time. +string ago | string | Pulls Detections in the following time range: from `(current_time - ago)` time to `current_time` time.

Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull Detections received in the last 10 minutes. +int?limit | int | Defines the number of Detections to be retrieved. Most recent Detections will be retrieved based on the number defined.

**NOTE**: When not specified, all Detections available in the time range will be retrieved. +machinegroups | String | Specifies machine groups to pull Detections from.

**NOTE**: When not specified, Detections from all machine groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` DeviceCreatedMachineTags | string | Single machine tag from the registry. CloudCreatedMachineTags | string | Machine tags that were created in Microsoft Defender Security Center. ### Request example -The following example demonstrates how to retrieve all the alerts in your organization. +The following example demonstrates how to retrieve all the Detections in your organization. ```syntax GET https://wdatp-alertexporter-eu.windows.com/api/alerts Authorization: Bearer ``` -The following example demonstrates a request to get the last 20 alerts since 2016-09-12 00:00:00. +The following example demonstrates a request to get the last 20 Detections since 2016-09-12 00:00:00. ```syntax GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000 @@ -178,14 +182,14 @@ AuthenticationContext context = new AuthenticationContext(string.Format("https:/ ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret); AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials); ``` -### Use token to connect to the alerts endpoint +### Use token to connect to the Detections endpoint ``` HttpClient httpClient = new HttpClient(); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken); HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult(); -string alertsJson = response.Content.ReadAsStringAsync().Result; -Console.WriteLine("Got alert list: {0}", alertsJson); +string detectionsJson = response.Content.ReadAsStringAsync().Result; +Console.WriteLine("Got Detections list: {0}", detectionsJson); ``` @@ -203,7 +207,7 @@ HTTP error code | Description ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) -- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) -- [Microsoft Defender ATP alert API fields](api-portal-mapping.md) +- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) +- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) +- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md index c45bc362d2..ea8a66f069 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md @@ -25,7 +25,7 @@ ms.topic: troubleshooting -You might need to troubleshoot issues while pulling alerts in your SIEM tools. +You might need to troubleshoot issues while pulling Detections in your SIEM tools. This page provides detailed steps to troubleshoot issues you might encounter. @@ -80,7 +80,7 @@ If you encounter an error when trying to enable the SIEM connector application, ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md) -- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md) -- [Microsoft Defender ATP alert API fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) +- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) +- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) +- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) +- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) From 1bccd97909fd27c7399e3469b5196bd43e9280aa Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 3 Sep 2019 10:55:48 -0700 Subject: [PATCH 2/5] update casing and redirects --- .openpublishing.redirection.json | 15 +++++++ windows/security/threat-protection/TOC.md | 12 ++--- .../api-portal-mapping.md | 45 +++++++++---------- .../configure-arcsight.md | 19 ++++---- .../microsoft-defender-atp/configure-siem.md | 28 ++++++------ .../configure-splunk.md | 18 ++++---- .../enable-siem-integration.md | 19 ++++---- .../microsoft-defender-atp/management-apis.md | 1 - .../pull-alerts-using-rest-api.md | 42 ++++++++--------- .../troubleshoot-siem.md | 8 ++-- 10 files changed, 109 insertions(+), 98 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 16a10bcb81..7ab1d5392d 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15131,6 +15131,21 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md ", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp/is-ip-seen-org.md", +"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp/exposed-apis-list", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/machineaction", "redirect_document_id": true diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 75a0d95d54..ccf58c6fc9 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -437,13 +437,13 @@ ##### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md) ##### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md) -#### [Pull Detections to your SIEM tools]() -##### [Learn about different ways to pull Detections](microsoft-defender-atp/configure-siem.md) +#### [Pull detections to your SIEM tools]() +##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) -##### [Configure Splunk to pull Detections](microsoft-defender-atp/configure-splunk.md) -##### [Configure HP ArcSight to pull Detections](microsoft-defender-atp/configure-arcsight.md) -##### [Microsoft Defender ATP Detection fields](microsoft-defender-atp/api-portal-mapping.md) -##### [Pull Detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) +##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md) +##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) +##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) +##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) #### [Reporting]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index da3c3c1da2..ef351af05d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -1,7 +1,7 @@ --- -title: Microsoft Defender ATP Detections API fields +title: Microsoft Defender ATP detections API fields description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center -keywords: Detections, Detections fields, fields, api, fields, pull Detections, rest api, request, response +keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,10 +15,9 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/16/2017 --- -# Microsoft Defender ATP Detections API fields +# Microsoft Defender ATP detections API fields **Applies to:** @@ -26,14 +25,14 @@ ms.date: 10/16/2017 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) -Understand what data fields are exposed as part of the Detections API and how they map to Microsoft Defender Security Center. +Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details. ## Detections API fields and portal mapping -The following table lists the available fields exposed in the Detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. +The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). @@ -48,18 +47,18 @@ Field numbers match the numbers in the images below. > | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. | > | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. | > | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. | -> | 6 | FileName | fileName | Robocopy.exe | Available for Detections associated with a file or process. | -> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for Detections associated with a file or process. | -> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based Detections. | -> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based Detections. | -> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for Detections associated with a file or process. | -> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV Detections. | -> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV Detections. | -> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV Detections. | -> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for Detections associated to network events. For example, 'Communication to a malicious network destination'. | -> | 15 | Url | requestUrl | down.esales360.cn | Available for Detections associated to network events. For example, 'Communication to a malicious network destination'. | -> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV Detections. ArcSight value is 1 when TRUE and 0 when FALSE. | -> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV Detections. ArcSight value is 1 when TRUE and 0 when FALSE. | +> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. | +> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. | +> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. | +> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. | +> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. | +> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV detections. | +> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV detections. | +> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV detections. | +> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. | +> | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. | +> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. | +> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. | > | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. | > | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. | > | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. | @@ -69,7 +68,7 @@ Field numbers match the numbers in the images below. > | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | -> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that Detections are retrieved. | +> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. | > | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | > | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. | > | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions. @@ -92,7 +91,7 @@ Field numbers match the numbers in the images below. ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) -- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) -- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) +- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) +- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) +- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index ef25a343c3..736e5fc809 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -1,6 +1,6 @@ --- -title: Configure HP ArcSight to pull Microsoft Defender ATP Detections -description: Configure HP ArcSight to receive and pull Detections from Microsoft Defender Security Center +title: Configure HP ArcSight to pull Microsoft Defender ATP detections +description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center keywords: configure hp arcsight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -15,10 +15,9 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/20/2018 --- -# Configure HP ArcSight to pull Microsoft Defender ATP Detections +# Configure HP ArcSight to pull Microsoft Defender ATP detections **Applies to:** @@ -29,14 +28,14 @@ ms.date: 12/20/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP Detections. +You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin -Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse Detections from your Azure Active Directory (AAD) application. +Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application. This section guides you in getting the necessary information to set and use the required configuration files correctly. @@ -167,7 +166,7 @@ The following steps assume that you have completed all the required steps in [Be You can now run queries in the HP ArcSight console. -Microsoft Defender ATP Detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. +Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. ## Troubleshooting HP ArcSight connection @@ -191,6 +190,6 @@ Microsoft Defender ATP Detections will appear as discrete events, with "Microsof ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) -- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) +- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) +- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 5fe5d31642..89fb09887a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -1,6 +1,6 @@ --- -title: Pull Detections to your SIEM tools from Microsoft Defender Advanced Threat Protection -description: Learn how to use REST API and configure supported security information and events management tools to receive and pull Detections. +title: Pull detections to your SIEM tools from Microsoft Defender Advanced Threat Protection +description: Learn how to use REST API and configure supported security information and events management tools to receive and pull detections. keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 10/16/2017 --- -# Pull Detections to your SIEM tools +# Pull detections to your SIEM tools **Applies to:** @@ -26,13 +26,13 @@ ms.date: 10/16/2017 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) -## Pull Detections using security information and events management (SIEM) tools +## Pull detections using security information and events management (SIEM) tools >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. -Microsoft Defender ATP supports (SIEM) tools to pull Detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull Detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. +Microsoft Defender ATP supports (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. Microsoft Defender ATP currently supports the following SIEM tools: @@ -44,16 +44,16 @@ To use either of these supported SIEM tools you'll need to: - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - Configure the supported SIEM tool: - - [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) - - [Configure HP ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) + - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) + - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md). -## Pull Microsoft Defender ATP Detections using REST API -Microsoft Defender ATP supports the OAuth 2.0 protocol to pull Detections using REST API. +## Pull Microsoft Defender ATP detections using REST API +Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API. -For more information, see [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md). +For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md). ## In this section @@ -61,8 +61,8 @@ For more information, see [Pull Microsoft Defender ATP Detections using REST API Topic | Description :---|:--- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools. -[Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP Detections. -[Configure HP ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP Detections. +[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections. +[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections. [Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. -[Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull Detections from Microsoft Defender ATP using REST API. +[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API. [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md index ca4a9972c7..6d0db578d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md @@ -1,6 +1,6 @@ --- -title: Configure Splunk to pull Microsoft Defender ATP Detections -description: Configure Splunk to receive and pull Detections from Microsoft Defender Security Center. +title: Configure Splunk to pull Microsoft Defender ATP detections +description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center. keywords: configure splunk, security information and events management tools, splunk search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure Splunk to pull Microsoft Defender ATP Detections +# Configure Splunk to pull Microsoft Defender ATP detections **Applies to:** @@ -28,10 +28,10 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) -You'll need to configure Splunk so that it can pull Microsoft Defender ATP Detections. +You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Before you begin @@ -125,8 +125,8 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP Detec After completing these configuration steps, you can go to the Splunk dashboard and run queries. -## View Detections using Splunk solution explorer -Use the solution explorer to view Detections in Splunk. +## View detections using Splunk solution explorer +Use the solution explorer to view detections in Splunk. 1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**. @@ -150,7 +150,7 @@ Use the solution explorer to view Detections in Splunk. ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) +- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Microsoft Defender ATP Detection fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) +- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index 26fb69ca84..707f89cea2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -1,6 +1,6 @@ --- title: Enable SIEM integration in Microsoft Defender ATP -description: Enable SIEM integration to receive Detections in your security information and event management (SIEM) solution. +description: Enable SIEM integration to receive detections in your security information and event management (SIEM) solution. keywords: enable siem connector, siem, connector, security information and events search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 12/10/2018 --- # Enable SIEM integration in Microsoft Defender ATP @@ -26,10 +25,10 @@ ms.date: 12/10/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) -Enable security information and event management (SIEM) integration so you can pull Detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the Detections REST API. +Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ## Prerequisites @@ -59,7 +58,7 @@ Enable security information and event management (SIEM) integration so you can p > - WDATP-connector.jsonparser.properties > - WDATP-connector.properties
- If you want to connect directly to the Detections REST API through programmatic access, choose **Generic API**. + If you want to connect directly to the detections REST API through programmatic access, choose **Generic API**. 4. Copy the individual values or select **Save details to file** to download a file that contains all the values. @@ -68,14 +67,14 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. -You can now proceed with configuring your SIEM solution or connecting to the Detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive Detections from Microsoft Defender Security Center. +You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center. ## Integrate Microsoft Defender ATP with IBM QRadar -You can configure IBM QRadar to collect Detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). +You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics -- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) -- [Configure HP ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) +- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) +- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Microsoft Defender ATP Detection fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) +- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index 75f1890d2a..40c4a73464 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -52,7 +52,6 @@ An important aspect of machine management is the ability to analyze the environm Topic | Description :---|:--- Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts. -Supported Microsoft Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Managed security service provider | Get a quick overview on managed security service provider support. diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index b1efc09ba1..c8bd39a230 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -1,7 +1,7 @@ --- -title: Pull Microsoft Defender ATP Detections using REST API -description: Pull Detections from Microsoft Defender ATP REST API. -keywords: Detections, pull Detections, rest api, request, response +title: Pull Microsoft Defender ATP detections using REST API +description: Pull detections from Microsoft Defender ATP REST API. +keywords: detections, pull detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Pull Microsoft Defender ATP Detections using SIEM REST API +# Pull Microsoft Defender ATP detections using SIEM REST API **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -27,10 +27,10 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more Detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. -Microsoft Defender ATP supports the OAuth 2.0 protocol to pull Detections from the API. +Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API. In general, the OAuth 2.0 protocol supports four types of flows: - Authorization grant flow @@ -40,19 +40,19 @@ In general, the OAuth 2.0 protocol supports four types of flows: For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net). -Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull Detections, with Azure Active Directory (AAD) as the authorization server. +Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server. The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token. The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials. -Use the following method in the Microsoft Defender ATP API to pull Detections in JSON format. +Use the following method in the Microsoft Defender ATP API to pull detections in JSON format. >[!NOTE] >Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering. ## Before you begin -- Before calling the Microsoft Defender ATP endpoint to pull Detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). +- Before calling the Microsoft Defender ATP endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). - Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app: - Application ID (unique to your application) @@ -63,7 +63,7 @@ Use the following method in the Microsoft Defender ATP API to pull Detections in ## Get an access token Before creating calls to the endpoint, you'll need to get an access token. -You'll use the access token to access the protected resource, which are Detections in Microsoft Defender ATP. +You'll use the access token to access the protected resource, which are detections in Microsoft Defender ATP. To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: @@ -109,23 +109,23 @@ Use optional query parameters to specify and control the amount of data returned Name | Value| Description :---|:---|:--- -DateTime?sinceTimeUtc | string | Defines the lower time bound Detections are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.

**NOTE**: When not specified, all Detections generated in the last two hours are retrieved. -DateTime?untilTimeUtc | string | Defines the upper time bound Detections are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

**NOTE**: When not specified, the default value will be the current time. -string ago | string | Pulls Detections in the following time range: from `(current_time - ago)` time to `current_time` time.

Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull Detections received in the last 10 minutes. -int?limit | int | Defines the number of Detections to be retrieved. Most recent Detections will be retrieved based on the number defined.

**NOTE**: When not specified, all Detections available in the time range will be retrieved. -machinegroups | String | Specifies machine groups to pull Detections from.

**NOTE**: When not specified, Detections from all machine groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` +DateTime?sinceTimeUtc | string | Defines the lower time bound detections are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.

**NOTE**: When not specified, all detections generated in the last two hours are retrieved. +DateTime?untilTimeUtc | string | Defines the upper time bound detections are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

**NOTE**: When not specified, the default value will be the current time. +string ago | string | Pulls detections in the following time range: from `(current_time - ago)` time to `current_time` time.

Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull detections received in the last 10 minutes. +int?limit | int | Defines the number of detections to be retrieved. Most recent detections will be retrieved based on the number defined.

**NOTE**: When not specified, all detections available in the time range will be retrieved. +machinegroups | String | Specifies machine groups to pull detections from.

**NOTE**: When not specified, detections from all machine groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` DeviceCreatedMachineTags | string | Single machine tag from the registry. CloudCreatedMachineTags | string | Machine tags that were created in Microsoft Defender Security Center. ### Request example -The following example demonstrates how to retrieve all the Detections in your organization. +The following example demonstrates how to retrieve all the detections in your organization. ```syntax GET https://wdatp-alertexporter-eu.windows.com/api/alerts Authorization: Bearer ``` -The following example demonstrates a request to get the last 20 Detections since 2016-09-12 00:00:00. +The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00. ```syntax GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000 @@ -182,14 +182,14 @@ AuthenticationContext context = new AuthenticationContext(string.Format("https:/ ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret); AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials); ``` -### Use token to connect to the Detections endpoint +### Use token to connect to the detections endpoint ``` HttpClient httpClient = new HttpClient(); httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken); HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult(); string detectionsJson = response.Content.ReadAsStringAsync().Result; -Console.WriteLine("Got Detections list: {0}", detectionsJson); +Console.WriteLine("Got detections list: {0}", detectionsJson); ``` @@ -207,7 +207,7 @@ HTTP error code | Description ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) -- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) +- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) +- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Microsoft Defender ATP Detection fields](api-portal-mapping.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md index ea8a66f069..e6d27968c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md @@ -25,7 +25,7 @@ ms.topic: troubleshooting -You might need to troubleshoot issues while pulling Detections in your SIEM tools. +You might need to troubleshoot issues while pulling detections in your SIEM tools. This page provides detailed steps to troubleshoot issues you might encounter. @@ -80,7 +80,7 @@ If you encounter an error when trying to enable the SIEM connector application, ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP Detections](configure-arcsight.md) -- [Configure Splunk to pull Microsoft Defender ATP Detections](configure-splunk.md) +- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) +- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Microsoft Defender ATP Detection fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP Detections using REST API](pull-alerts-using-rest-api.md) +- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) From 4425662809339f375ebebf75737218a9c57efd77 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 3 Sep 2019 11:17:52 -0700 Subject: [PATCH 3/5] remove space json file --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 7ab1d5392d..daecbc6a4d 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15136,7 +15136,7 @@ "redirect_document_id": false }, { -"source_path": "windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md ", +"source_path": "windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts", "redirect_document_id": true }, From 4a53c226d6a54af30e1d52401f3cfc98113bc400 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 3 Sep 2019 11:44:06 -0700 Subject: [PATCH 4/5] fix json --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index daecbc6a4d..95b887e08a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -14778,7 +14778,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md", @@ -14788,7 +14788,7 @@ { "source_path": "windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md", From e8ba3853595e4656caaaf4222dbebd390d049835 Mon Sep 17 00:00:00 2001 From: John Liu <49762389+ShenLanJohn@users.noreply.github.com> Date: Tue, 3 Sep 2019 13:23:12 -0700 Subject: [PATCH 5/5] CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190903123340 (#1031) --- .../resolved-issues-windows-10-1803.yml | 10 ++++++++++ ...ssues-windows-10-1809-and-windows-server-2019.yml | 12 ------------ .../release-information/status-windows-10-1803.yml | 10 ++++++++++ .../release-information/status-windows-10-1903.yml | 2 -- 4 files changed, 20 insertions(+), 14 deletions(-) diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml index b3059b9fe8..f6b4c85fb6 100644 --- a/windows/release-information/resolved-issues-windows-10-1803.yml +++ b/windows/release-information/resolved-issues-windows-10-1803.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -58,6 +59,15 @@ sections:
" +- title: September 2019 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusDate resolved
Notification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\"

See details >		N/A

Resolved
September 03, 2019
12:32 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4512509		August 19, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		OS Build 17134.950

August 13, 2019
KB4512501		Resolved
KB4512509		August 19, 2019
02:00 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17134.915

July 16, 2019
KB4507466		Resolved
KB4512501		August 13, 2019
10:00 AM PT
+ +
DetailsOriginating updateStatusHistory
Notification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes\" in the Windows Update dialog and a red \"!\" in the task tray on the Windows Update tray icon. This notification is intended for devices that are 90 days or more out of date, but some users with installed updates released in June or July also saw this notification.

Affected platforms:
  • Client: Windows 10, version 1803
  • Server: Windows Server, version 1803
Resolution: This issue was resolved on the server side on August 30, 2019. Only devices that are out of date by 90 days or more should now see the notification. No action is required by the user to resolve this issue. If you are still seeing the \"Your device is missing important security and quality fixes\" notification, we recommend selecting Check for Updates in the Windows Update dialog. For instructions, see Update Windows 10. Microsoft always recommends trying to keep your devices up to date, as the monthly updates contain important security fixes. 

Back to top		N/A

Resolved
Resolved:
September 03, 2019
12:32 PM PT

Opened:
September 03, 2019
12:32 PM PT
+ " + - title: August 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index c70c55ae78..99b8f5966a 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -55,12 +55,6 @@ sections:
End-user-defined characters (EUDC) may cause blue screen at startup
If you enable per font end-user-defined characters (EUDC), the system may stop working and a blue screen may appear at startup.

See details >OS Build 17763.404

April 02, 2019
KB4490481Resolved
KB4493509April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >OS Build 17763.253

January 08, 2019
KB4480116Resolved
KB4493509April 09, 2019
10:00 AM PT
Error 1309 when installing/uninstalling MSI or MSP files
Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.

See details >OS Build 17763.316

February 12, 2019
KB4487044Resolved
KB4489899March 12, 2019
10:00 AM PT -
Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.

See details >OS Build 17763.316

February 12, 2019
KB4487044Resolved
KB4482887March 01, 2019
10:00 AM PT -
First character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >OS Build 17763.316

February 12, 2019
KB4487044Resolved
KB4482887March 01, 2019
10:00 AM PT -
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 9 file format may randomly stop working.

See details >OS Build 17763.316

February 12, 2019
KB4487044Resolved
KB4482887March 01, 2019
10:00 AM PT -
Shared albums may not sync with iCloud for Windows
Upgrade block: Apple has identified an incompatibility with iCloud for Windows (version 7.7.0.27) where users may experience issues updating or synching Shared Albums.

See details >OS Build 17763.134

November 13, 2018
KB4467708Resolved
KB4482887March 01, 2019
10:00 AM PT -
Intel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Upgrade block: Users may see an Intel Audio Display (intcdaud.sys) notification during setup for devices with certain Intel Display Audio Drivers.

See details >OS Build 17763.134

November 13, 2018
KB4467708Resolved
KB4482887March 01, 2019
10:00 AM PT -
F5 VPN clients losing network connectivity
Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.

See details >OS Build 17763.134

November 13, 2018
KB4467708Resolved
KB4482887March 01, 2019
10:00 AM PT
Global DNS outage affects Windows Update customers
Windows Update customers were recently affected by a network infrastructure event caused by an external DNS service provider's global outage.

See details >N/A

Resolved
March 08, 2019
11:15 AM PT
Apps may stop working after selecting an audio output device other than the default
Users with multiple audio devices that select an audio output device different from the \"Default Audio Device\" may find certain applications stop working unexpectedly.

See details >OS Build 17763.348

March 01, 2019
KB4482887Resolved
KB4490481April 02, 2019
10:00 AM PT @@ -148,9 +142,6 @@ sections: - - -
DetailsOriginating updateStatusHistory
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly. 
 
For example, if you paste a Microsoft Excel worksheet object into a Microsoft Word document, the cells may render with a different background color. 
 
Affected platforms:  
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1  
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2  
Resolution: This issue is resolved in KB4493509.  

Back to top		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4493509		Resolved:
April 09, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
Error 1309 when installing/uninstalling MSI or MSP files
After installing KB4487044, users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4489899

Back to top		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4489899		Resolved:
March 12, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
Internet Explorer may fail to load images
After installing KB4487044, Internet Explorer may fail to load images with a backslash (\\) in their relative source path.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4482887.

Back to top		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
First character of the Japanese era name not recognized
After installing KB4487044, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4482887

Back to top		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4482887.

Back to top		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
February 12, 2019
10:00 AM PT
" @@ -171,8 +162,5 @@ sections: text: " - - -
DetailsOriginating updateStatusHistory
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows. 
 
As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers.
Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019 
Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update. For more information, see the Intel Customer Support article.

Resolution: Microsoft has removed the safeguard hold.



Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
Resolved:
May 21, 2019
07:42 AM PT

Opened:
November 13, 2018
10:00 AM PT
Shared albums may not sync with iCloud for Windows
Upgrade block: Users who attempt to install iCloud for Windows (version 7.7.0.27) will see a message displayed that this version iCloud for Windows isn't supported and the install will fail.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
To ensure a seamless experience, Microsoft is blocking devices with iCloud for Windows (version 7.7.0.27) software installed from being offered Windows 10, version 1809 until this issue has been resolved. 

We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool from the Microsoft software download website until this issue is resolved. 
 
Resolution: Apple has released an updated version of iCloud for Windows (version 7.8.1) that resolves compatibility issues encountered when updating or synching Shared Albums after updating to Windows 10, version 1809. We recommend that you update your iCloud for Windows to version 7.8.1 when prompted before attempting to upgrade to Windows 10, version 1809. You can also manually download the latest version of iCloud for Windows by visiting https://support.apple.com/HT204283.

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
Intel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Upgrade block: Microsoft and Intel have identified a compatibility issue with a range of Intel Display Audio device drivers (intcdaud.sys, versions 10.25.0.3 - 10.25.0.8) that may result in excessive processor demand and reduced battery life. As a result, the update process to the Windows 10 October 2018 Update (Windows 10, version 1809) will fail and affected devices will automatically revert to the previous working configuration. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
If you see a \"What needs your attention\" notification during installation of the October 2018 Update, you have one of these affected drivers on your system. On the notification, click Back to remain on your current version of Windows 10. 
 
To ensure a seamless experience, we are blocking devices from being offered the October 2018 Update until updated Intel device drivers are installed on your current operating system. We recommend that you do not attempt to manually update to Windows 10, version 1809, using the Update Now button or the Media Creation Tool from the Microsoft Software Download Center until newer Intel device drivers are available with the update. You can either wait for newer drivers to be installed automatically through Windows Update or check with your computer manufacturer for the latest device driver software availability and installation procedures. For more information about this issue, see Intel's customer support guidance.
 
Resolution: This issue was resolved in KB4482887 and the upgrade block removed. 

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
F5 VPN clients losing network connectivity
Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4482887 and the upgrade block removed. 

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
" diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index c9f0739b5a..fe3c6577c2 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -65,6 +65,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -81,6 +82,15 @@ sections:
" +- title: September 2019 +- items: + - type: markdown + text: " +
SummaryOriginating updateStatusLast updated
Notification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\"

See details >		N/A

Resolved
September 03, 2019
12:32 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4512509		August 19, 2019
02:00 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		OS Build 17134.950

August 13, 2019
KB4512501		Resolved
KB4512509		August 19, 2019
02:00 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17134.915

July 16, 2019
KB4507466		Resolved
KB4512501		August 13, 2019
10:00 AM PT
+ +
DetailsOriginating updateStatusHistory
Notification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes\" in the Windows Update dialog and a red \"!\" in the task tray on the Windows Update tray icon. This notification is intended for devices that are 90 days or more out of date, but some users with installed updates released in June or July also saw this notification.

Affected platforms:
  • Client: Windows 10, version 1803
  • Server: Windows Server, version 1803
Resolution: This issue was resolved on the server side on August 30, 2019. Only devices that are out of date by 90 days or more should now see the notification. No action is required by the user to resolve this issue. If you are still seeing the \"Your device is missing important security and quality fixes\" notification, we recommend selecting Check for Updates in the Windows Update dialog. For instructions, see Update Windows 10. Microsoft always recommends trying to keep your devices up to date, as the monthly updates contain important security fixes. 

Back to top		N/A

Resolved
Resolved:
September 03, 2019
12:32 PM PT

Opened:
September 03, 2019
12:32 PM PT
+ " + - title: August 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index 5dd768299d..72034e1a27 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -75,7 +75,6 @@ sections:
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >OS Build 18362.175

June 11, 2019
KB4503293Resolved External
August 09, 2019
07:03 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

See details >OS Build 18362.116

May 21, 2019
KB4505057Mitigated External
August 01, 2019
08:44 PM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >OS Build 18362.116

May 21, 2019
KB4505057Mitigated
August 01, 2019
06:27 PM PT -
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

See details >OS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903July 26, 2019
02:00 PM PT
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

See details >OS Build 18362.145

May 29, 2019
KB4497935Investigating
July 16, 2019
09:04 AM PT
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.

See details >OS Build 18362.116

May 21, 2019
KB4505057Mitigated
May 21, 2019
04:48 PM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in battery drain.

See details >OS Build 18362.116

May 21, 2019
KB4505057Mitigated
May 21, 2019
04:47 PM PT @@ -123,7 +122,6 @@ sections:
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4512941.

Back to topOS Build 18362.116

May 20, 2019
KB4505057Resolved
KB4512941Resolved:
August 30, 2019
10:00 AM PT

Opened:
May 24, 2019
04:20 PM PT
Intermittent loss of Wi-Fi connectivity
Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
 
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Mitigated External
Last updated:
August 01, 2019
08:44 PM PT

Opened:
May 21, 2019
07:13 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
  • Connecting to (or disconnecting from) an external monitor, dock, or projector
  • Rotating the screen
  • Updating display drivers or making other display mode changes
  • Closing full screen applications
  • Applying custom color profiles
  • Running applications that rely on custom gamma ramps
Affected platforms:
  • Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Mitigated
Last updated:
August 01, 2019
06:27 PM PT

Opened:
May 21, 2019
07:28 AM PT -
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Resolved
KB4505903Resolved:
July 26, 2019
02:00 PM PT

Opened:
May 21, 2019
07:56 AM PT
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek and Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek or Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.

  • For Qualcomm drivers, you will need to install a driver version greater than 10.0.1.11.
  • For Realtek drivers, you will need to install a driver version greater than 1.5.1011.0.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update.  


Back to topOS Build 18362.116

May 21, 2019
KB4505057Mitigated
Last updated:
May 21, 2019
04:48 PM PT

Opened:
May 21, 2019
07:29 AM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809
Workaround:
On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.

For more information, see Intel's customer support guidance and the Microsoft knowledge base article KB4465877.

Note We recommend you do not attempt to update your devices until newer device drivers are installed.

Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Mitigated
Last updated:
May 21, 2019
04:47 PM PT

Opened:
May 21, 2019
07:22 AM PT
Cannot launch Camera app
Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:

\"Close other apps, error code: 0XA00F4243.”


To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: To temporarily resolve this issue, perform one of the following:

  • Unplug your camera and plug it back in.

or

  • Disable and re-enable the driver in Device Manager. In the Search box, type \"Device Manager\" and press Enter. In the Device Manager dialog box, expand Cameras, then right-click on any RealSense driver listed and select Disable device. Right click on the driver again and select Enable device.

or

  • Restart the RealSense service. In the Search box, type \"Task Manager\" and hit Enter. In the Task Manager dialog box, click on the Services tab, right-click on RealSense, and select Restart
Note This workaround will only resolve the issue until your next system restart.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to topOS Build 18362.116

May 21, 2019
KB4505057Mitigated
Last updated:
May 21, 2019
04:47 PM PT

Opened:
May 21, 2019
07:20 AM PT