mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 10:23:37 +00:00
fix all for more information see, add related topics, add in this section
This commit is contained in:
Joey Caparas
@ -76,5 +76,6 @@ RONEN - I THINK I'M MISSING SOME STEPS HERE - I THINK I NEED TO PUT IN INFORMATI
|
||||
SHOULD I INCLUDE THOSE INFORMATION HERE? OR CREATE A SEPARATE TOPIC FOR THAT? OR INCLUDE IT IN THE SPLUNK/ARCSIGHT STEPS?
|
||||
|
||||
## Related topics
|
||||
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -17,9 +17,9 @@ author: mjcaparas
|
||||
- Windows 10, version 1607
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts.
|
||||
You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts.
|
||||
|
||||
### Before you begin
|
||||
## Before you begin
|
||||
|
||||
- Get the following information from your Azure Active Directory (AAD) application:
|
||||
- OAuth 2 Token refresh URL
|
||||
@ -30,10 +30,10 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP
|
||||
- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet. (RONEN - MAY I HAVE THE LINK FROM WHERE CUSTOMERS CAN DOWNLOAD THE PACKAGE)
|
||||
- Contact the Windows Defender ATP team to provide you your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in _______ NEED LINK TO THE PDF AGAIN HERE.
|
||||
|
||||
## Configure HP ArcSight
|
||||
## Configure HP ArcSight
|
||||
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin)
|
||||
|
||||
1. Copy the *wdatp-connector.jsonparser.properties* file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
|
||||
1. Copy the *wdatp-connector.jsonparser.properties* file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
|
||||
|
||||
2. Save the *wdatp-connector.properties* file into a folder of your choosing.
|
||||
|
||||
@ -49,7 +49,7 @@ The following steps assume that you have completed all the required steps in [Be
|
||||
|
||||
Field | Value
|
||||
:---|:---
|
||||
Configuration File | Type in the name of the client property file. It must match the client property file.
|
||||
Configuration File | Type in the name of the client property file. It must match the client property file.
|
||||
Events URL | `https://DataAccess-PRD.trafficmanager.net:444/api/alerts`
|
||||
Authentication Type | OAuth 2
|
||||
OAuth 2 Client Properties File | Select *wdatp-connector.properties*.
|
||||
@ -57,11 +57,13 @@ Refresh Token | Paste the refresh token that your Windows Defender ATP contact p
|
||||
|
||||
All other values in the form are optional and can be left blank.
|
||||
|
||||
6. Select **Next**, then **Save**.
|
||||
6. Select **Next**, then **Save**.
|
||||
|
||||
7. Run the connector. You can choose to run in service mode or application mode. RONEN - Should this be Service mode or Application mode (capitalized S and capitalized A?)
|
||||
|
||||
8. In the HP ArcSight console, create a **Windows Defender ATP** channel with an intervals and properties suitable to your enterprise needs.
|
||||
|
||||
## Related topic
|
||||
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
|
||||
## Related topics
|
||||
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -22,7 +22,7 @@ author: mjcaparas
|
||||
|
||||
<span id="sccm1606"/>
|
||||
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
|
||||
System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section.
|
||||
System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP).
|
||||
|
||||
> **Note** If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
|
||||
|
||||
@ -83,7 +83,7 @@ Monitoring with SCCM consists of two parts:
|
||||
|
||||
4. Review the status indicators under **Completion Statistics** and **Content Status**.
|
||||
|
||||
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
|
||||
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
|
||||
|
||||
|
||||
@ -35,7 +35,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
|
||||
|
||||
5. Press the **Enter** key or click **OK**.
|
||||
|
||||
See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
|
||||
For for information on how you can manually validate that the endpoint is compliant and correctly reports telemetry see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Offboard endpoints using a local script
|
||||
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
|
||||
@ -45,9 +45,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
|
||||
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
|
||||
|
||||
a. Click **Endpoint Management** on the **Navigation pane**.
|
||||
|
||||
|
||||
b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
|
||||
|
||||
|
||||
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
|
||||
|
||||
3. Open an elevated command-line prompt on the endpoint and run the script:
|
||||
|
||||
@ -17,7 +17,7 @@ author: mjcaparas
|
||||
- Windows 10, version 1607
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure Active Directory (AAD). The endpoint can be configured to get alerts from your enterprise tenant in AAD using the OAuth 2.0 authentication protocol in an application hosted in AAD.
|
||||
Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure Active Directory (AAD). The endpoint can be configured to get alerts from your enterprise tenant in AAD using the OAuth 2.0 authentication protocol in an application hosted in AAD.
|
||||
|
||||
Windows Defender ATP supports the following SIEM tools:
|
||||
|
||||
@ -28,15 +28,15 @@ To use either of these supported SIEM tools you'll need to:
|
||||
|
||||
- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md)
|
||||
- Configure the supported SIEM tool:
|
||||
- Configure Splunk to consume alerts
|
||||
- Configure HP ArcSight to consume alerts
|
||||
- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
After configuring the application, you need to take note of the following values:
|
||||
|
||||
|
||||
|
||||
You need to use these values in your SIEM tool to configure them.
|
||||
You need to use these values in your SIEM tool to configure them.
|
||||
|
||||
For Splunk you need these values:
|
||||
|
||||
@ -49,6 +49,12 @@ For HP ArcSight you need these values:
|
||||
To get the refresh token:
|
||||
|
||||
- if using Splunk - your MS representative will provide this to you
|
||||
- if using HP ArcSight - you need to run restutil
|
||||
- if using HP ArcSight - you need to run restutil
|
||||
|
||||
## In this section
|
||||
|
||||
Topic | Description
|
||||
:---|:---
|
||||
[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools.
|
||||
[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts.
|
||||
[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts.
|
||||
|
||||
@ -17,9 +17,9 @@ author: mjcaparas
|
||||
- Windows 10, version 1607
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
You'll need to configure Splunk so that it can consume Windows Defender ATP alerts.
|
||||
You'll need to configure Splunk so that it can consume Windows Defender ATP alerts.
|
||||
|
||||
### Before you begin
|
||||
## Before you begin
|
||||
|
||||
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk (RONEN - please check if this link is correct.)
|
||||
- Contact the Windows Defender ATP team to provide you your refresh token
|
||||
@ -37,7 +37,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
|
||||
3. Select **REST** under **Local inputs**.
|
||||
> **Note** This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
|
||||
|
||||
4. Select **New**.
|
||||
4. Select **New**.
|
||||
|
||||
5. In the form fill in the following required fields with these values:
|
||||
|
||||
@ -53,18 +53,20 @@ Response type | json
|
||||
Response Handler | JSONArrayHandler
|
||||
Polling Interval | Number of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds.
|
||||
Set sourcetype | From list
|
||||
Source type | _json
|
||||
Source type | \_json
|
||||
|
||||
All other values in the form are optional and can be left blank.
|
||||
|
||||
6. Select **Save**.
|
||||
6. Select **Save**.
|
||||
|
||||
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
|
||||
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
|
||||
|
||||
Some sample queries are: RONEN - PLEASE CHECK IF THE FOLLOWING ARE CORRECT - THANK YOU
|
||||
```source="rest://windows atp alerts"```
|
||||
```source="rest://windows atp alerts"|spath|table*```
|
||||
|
||||
|
||||
## Related topic
|
||||
## Related topics
|
||||
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -38,18 +38,18 @@ You can view the overall number of active ATP alerts from the last 30 days in yo
|
||||
|
||||
Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
|
||||
|
||||
See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topic for more information.
|
||||
For more information see, [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information.
|
||||
The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Machines at risk
|
||||
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
|
||||
|
||||
|
||||
|
||||
Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine) topic for more information.
|
||||
Click the name of the machine to see details about that machine. For more information see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine).
|
||||
|
||||
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information.
|
||||
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Status
|
||||
The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days.
|
||||
|
||||
@ -119,7 +119,7 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
|
||||
Value = 0 - block sample collection
|
||||
Value = 1 - allow sample collection
|
||||
```
|
||||
5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
|
||||
5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
|
||||
6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
|
||||
|
||||
> **Note** If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
|
||||
|
||||
@ -63,7 +63,7 @@ The threat category filter lets you filter the view by the following categories:
|
||||
- Threat
|
||||
- Low severity
|
||||
|
||||
See the [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections) topic for a description of each category.
|
||||
For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections).
|
||||
|
||||
You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon  to download the entire list as a CSV file.
|
||||
|
||||
|
||||
@ -19,7 +19,7 @@ author: mjcaparas
|
||||
|
||||
Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu.
|
||||
|
||||
See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts.
|
||||
For more information on how to investigate alerts see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts).
|
||||
|
||||
Click the **Manage Alert** menu icon  on the top of the alert to access the Manage Alert menu and manage alerts.
|
||||
|
||||
|
||||
@ -42,7 +42,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t
|
||||
|
||||
> **Note** Endpoints that are running Windows Server and mobile versions of Windows are not supported.
|
||||
|
||||
Internet connectivity on endpoints is also required. See [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) for additional proxy configuration settings.
|
||||
Internet connectivity on endpoints is also required. For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
|
||||
|
||||
Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
|
||||
|
||||
|
||||
@ -50,7 +50,7 @@ To set the time zone:
|
||||
3. The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**.
|
||||
|
||||
## Suppression rules
|
||||
The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
|
||||
The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts).
|
||||
|
||||
## License
|
||||
Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.
|
||||
|
||||
Reference in New Issue
Block a user