From fa7ff33a3ae22711e9040bfc9958ce7299d727f3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 14:54:58 -0800 Subject: [PATCH 001/116] Create defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md new file mode 100644 index 0000000000..6ea027c1ee --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -0,0 +1,33 @@ +--- +title: Address false positives/negatives in Microsoft Defender for Endpoint +description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint. +keywords: alert, exclusion, defender atp, false positive, false negative +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.technology: windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 12/15/2020 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree +ms.custom: AIR +--- + +# Address false positives/negatives in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) + From 6ce84f2c4dbacc71486731a580b322af7bd12486 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 14:57:19 -0800 Subject: [PATCH 002/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 6ea027c1ee..b3098ec0dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -20,7 +20,7 @@ ms.collection: - m365initiative-defender-endpoint ms.topic: conceptual ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree -ms.custom: AIR +ms.custom: FPFN --- # Address false positives/negatives in Microsoft Defender for Endpoint @@ -31,3 +31,5 @@ ms.custom: AIR - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) +Did Microsoft Defender for Endpoint identify an artifact as malicious, even though it wasn't? Are files or processes that are not a threat being stopped in their tracks by Defender for Endpoint? Or, did Defender for Endpoint miss something? Use this article as a guide for addressing false positives or false negatives in Defender for Endpoint. + From fda53f2bd94c7d4e2691922fad5982a7c5b08a0e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 15:10:19 -0800 Subject: [PATCH 003/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b3098ec0dd..72ede58c51 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,3 +33,6 @@ ms.custom: FPFN Did Microsoft Defender for Endpoint identify an artifact as malicious, even though it wasn't? Are files or processes that are not a threat being stopped in their tracks by Defender for Endpoint? Or, did Defender for Endpoint miss something? Use this article as a guide for addressing false positives or false negatives in Defender for Endpoint. +| Step | Description | +|:---|:---| +| 1. Identify a false positive/negative | | \ No newline at end of file From 131da8346ac47dac17b151b7ed07ff7c81cfd056 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 15:56:57 -0800 Subject: [PATCH 004/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 72ede58c51..7a8b28a303 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -35,4 +35,25 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou | Step | Description | |:---|:---| -| 1. Identify a false positive/negative | | \ No newline at end of file +| 1. Identify a false positive/negative | | +| 2. Review/define exclusions for Defender for Endpoint | | +| 3. Review/define indicators for Defender for Endpoint | | +| 4. Classify a false positive/negative in Defender for Endpoint | | +| 5. Submit a file for analysis | | +| 6. Confirm your software uses EV code signing | | + +## Identify a false positive/negative + +*How do we know something is a false positive or negative? What do we want customers to look for?* + +## Review or define exclusions + +*Exclusions are defined for AutoIR and for MDAV, yes?* + +## Review or define indicators + +## Classify a false positive or false negative + +## Submit a file for analysis + +## Confirm your software uses EV code signing \ No newline at end of file From ae764c12b4d5421861690c50422d036e3e37cc7b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 16:02:50 -0800 Subject: [PATCH 005/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7a8b28a303..40bb2b65ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -35,12 +35,12 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou | Step | Description | |:---|:---| -| 1. Identify a false positive/negative | | -| 2. Review/define exclusions for Defender for Endpoint | | -| 3. Review/define indicators for Defender for Endpoint | | -| 4. Classify a false positive/negative in Defender for Endpoint | | -| 5. Submit a file for analysis | | -| 6. Confirm your software uses EV code signing | | +| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | | +| 2. [Review/define exclusions for Defender for Endpoint](#review-or-define-exclusions) | | +| 3. [Review/define indicators for Defender for Endpoint](#review-or-define-indicators) | | +| 4. [Classify a false positive/negative in Defender for Endpoint](#classify-a-false-positive-or-false-negative) | | +| 5. [Submit a file for analysis](#submit-a-file-for-analysis) | | +| 6. [Confirm your software uses EV code signing](#confirm-your-software-uses-ev-code-signing) | | ## Identify a false positive/negative @@ -52,8 +52,16 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou ## Review or define indicators +*Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* + ## Classify a false positive or false negative +*Need to figure out where/how this is done* + ## Submit a file for analysis -## Confirm your software uses EV code signing \ No newline at end of file +*https://www.microsoft.com/wdsi/filesubmission/* + +## Confirm your software uses EV code signing + +*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* \ No newline at end of file From fe4c83039bc4c7431f25a5f3f975109743b011ce Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 15 Dec 2020 16:08:27 -0800 Subject: [PATCH 006/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 40bb2b65ea..2d4e5efdb5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -35,7 +35,7 @@ Did Microsoft Defender for Endpoint identify an artifact as malicious, even thou | Step | Description | |:---|:---| -| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | | +| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | A false positive is something that was detected and identified as malicious, when in fact it does not pose a threat.
A false negative is something that was not detected as a threat even though it is, in fact, malicious.
Both false positives and false negatives can be problematic for your organization. | | 2. [Review/define exclusions for Defender for Endpoint](#review-or-define-exclusions) | | | 3. [Review/define indicators for Defender for Endpoint](#review-or-define-indicators) | | | 4. [Classify a false positive/negative in Defender for Endpoint](#classify-a-false-positive-or-false-negative) | | From bcd0ea8622f7858720b7f9d28bf8f718567be1d6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:49:14 -0800 Subject: [PATCH 007/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 33 ++++++++++++------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2d4e5efdb5..c43654ba5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 12/15/2020 +ms.date: 01/15/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -31,20 +31,29 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -Did Microsoft Defender for Endpoint identify an artifact as malicious, even though it wasn't? Are files or processes that are not a threat being stopped in their tracks by Defender for Endpoint? Or, did Defender for Endpoint miss something? Use this article as a guide for addressing false positives or false negatives in Defender for Endpoint. +In Microsoft Defender for Endpoint, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. -| Step | Description | -|:---|:---| -| 1. [Identify a false positive/negative](#identify-a-false-positivenegative) | A false positive is something that was detected and identified as malicious, when in fact it does not pose a threat.
A false negative is something that was not detected as a threat even though it is, in fact, malicious.
Both false positives and false negatives can be problematic for your organization. | -| 2. [Review/define exclusions for Defender for Endpoint](#review-or-define-exclusions) | | -| 3. [Review/define indicators for Defender for Endpoint](#review-or-define-indicators) | | -| 4. [Classify a false positive/negative in Defender for Endpoint](#classify-a-false-positive-or-false-negative) | | -| 5. [Submit a file for analysis](#submit-a-file-for-analysis) | | -| 6. [Confirm your software uses EV code signing](#confirm-your-software-uses-ev-code-signing) | | +Review your threat protection settings +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: -## Identify a false positive/negative +- Cloud-delivered protection +- Remediation for potentially unwanted apps (PUA) + +### Cloud-delivered protection + +Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. + +See [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) + +### Remediation for potentially unwanted applications (PUA) + +Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. + +Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. + +> [!TIP] +> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). -*How do we know something is a false positive or negative? What do we want customers to look for?* ## Review or define exclusions From a41ed13796f6238a069151684485c15296665174 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:50:25 -0800 Subject: [PATCH 008/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index c43654ba5e..7e2224fc74 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,6 +54,16 @@ Depending on the apps your organization is using, you might be getting false pos > [!TIP] > To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). +#### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. +4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) +6. Choose **Review + save**, and then choose **Save**. + + ## Review or define exclusions From 0509296bac40162a4aefbfe21aecf284507843ac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:50:48 -0800 Subject: [PATCH 009/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7e2224fc74..703de9a4ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -56,12 +56,12 @@ Depending on the apps your organization is using, you might be getting false pos #### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). -3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. -4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. -5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) -6. Choose **Review + save**, and then choose **Save**. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. +4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) +6. Choose **Review + save**, and then choose **Save**. From 1c60d9b448e225a8707e85cbc1d7c0292741de68 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:52:02 -0800 Subject: [PATCH 010/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 703de9a4ef..4fc988374f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -57,12 +57,23 @@ Depending on the apps your organization is using, you might be getting false pos #### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile)). 3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. 4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. 5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) 6. Choose **Review + save**, and then choose **Save**. +#### Use Microsoft Endpoint Manager to set PUA protection for a new configuration profile + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. +3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**. +4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. +5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn PUA protection off, but by using audit mode, you will be able to see detections.) +7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. +9. On the **Review + create** tab, review your settings, and, and then choose **Create**. ## Review or define exclusions From 47a5ddb4b59892d07f31a4ef6dc08737e27e7a14 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:54:35 -0800 Subject: [PATCH 011/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4fc988374f..d120882e6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -76,9 +76,17 @@ Depending on the apps your organization is using, you might be getting false pos 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. -## Review or define exclusions +## Review or define exclusions for Microsoft Defender for Endpoint + +An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. + +To define exclusions across Microsoft Defender for Endpoint, you must perform at least two kinds of tasks: + +- Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) +- Create “allow” indicators for Microsoft Defender for Endpoint () + +You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. -*Exclusions are defined for AutoIR and for MDAV, yes?* ## Review or define indicators From ba8ffab39c6b33c5d8b74f831c6adb308218a1fd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:55:40 -0800 Subject: [PATCH 012/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d120882e6a..4cfd1708d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -85,7 +85,7 @@ To define exclusions across Microsoft Defender for Endpoint, you must perform at - Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) - Create “allow” indicators for Microsoft Defender for Endpoint () -You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. +You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. ## Review or define indicators From f1e6f6f4ff42ca4086b58915cf99051c152af1e2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 12:56:39 -0800 Subject: [PATCH 013/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4cfd1708d9..61db33647d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -75,17 +75,15 @@ Depending on the apps your organization is using, you might be getting false pos 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. - ## Review or define exclusions for Microsoft Defender for Endpoint An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. To define exclusions across Microsoft Defender for Endpoint, you must perform at least two kinds of tasks: - - Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) - Create “allow” indicators for Microsoft Defender for Endpoint () -You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use custom indicators. +You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). ## Review or define indicators From 04e2d46c5b0994aefda58e659b99e89164de1dad Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:06:18 -0800 Subject: [PATCH 014/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 61db33647d..f9216bbfe8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -85,6 +85,33 @@ To define exclusions across Microsoft Defender for Endpoint, you must perform at You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). +### Exclusions for Microsoft Defender Antivirus + +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions. + +> [!TIP] +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. +4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. +5. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to create an antivirus policy with exclusions +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. +3. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server). +4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. +5. Specify a name and description for the profile, and then choose **Next**. +6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags]( Use role-based access control (RBAC) and scope tags for distributed IT in Intune | Microsoft Docs).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + + ## Review or define indicators From 3d1407fd3a22033c4ba167208dc03f379cc85de2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:06:54 -0800 Subject: [PATCH 015/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f9216bbfe8..4fd508750d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -90,7 +90,7 @@ You must perform both kinds of tasks because Microsoft Defender Antivirus exclus In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions. > [!TIP] -> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). #### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies @@ -101,6 +101,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 5. Choose **Review + save**, and then choose **Save**. #### Use Microsoft Endpoint Manager to create an antivirus policy with exclusions + 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. 3. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server). From 3c5d2a3d2429851c32762559e667f20c91f60cc7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:09:06 -0800 Subject: [PATCH 016/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4fd508750d..b43e1e658d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -95,7 +95,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti #### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-an-antivirus-policy-with-exclusions)). 3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. 4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. 5. Choose **Review + save**, and then choose **Save**. @@ -108,7 +108,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. 5. Specify a name and description for the profile, and then choose **Next**. 6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. -7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags]( Use role-based access control (RBAC) and scope tags for distributed IT in Intune | Microsoft Docs).) +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. From 480e2a5a36204a7a1aa754c651f18631efbc55e7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 13:10:06 -0800 Subject: [PATCH 017/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b43e1e658d..41af0bb20a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -112,8 +112,6 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. - - ## Review or define indicators *Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* From 514985aeb75c4975f24cb75ae6bc930a61ee32fc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 14:02:08 -0800 Subject: [PATCH 018/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 41af0bb20a..684eb83488 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,7 +33,8 @@ ms.custom: FPFN In Microsoft Defender for Endpoint, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. -Review your threat protection settings +## Review your threat protection settings + Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - Cloud-delivered protection @@ -112,13 +113,17 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. -## Review or define indicators +### Indicators for Microsoft Defender for Endpoint *Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* -## Classify a false positive or false negative +To specify files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. "Allow" indicators prevent the following capabilities of Microsoft Defender for Endpoint from taking action on entities: + +- [Next-generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) +- [Endpoint detection and response](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Automated investigation & remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) + -*Need to figure out where/how this is done* ## Submit a file for analysis From 7312853d028e81efbab426af3f5c28d1240c8d34 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 13 Jan 2021 14:02:28 -0800 Subject: [PATCH 019/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 684eb83488..ae042deaee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -53,7 +53,7 @@ Potentially unwanted applications (PUA) are a category of software that can caus Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. > [!TIP] -> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). +> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). #### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles @@ -119,9 +119,9 @@ In general, you should not need to define exclusions for Microsoft Defender Anti To specify files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. "Allow" indicators prevent the following capabilities of Microsoft Defender for Endpoint from taking action on entities: -- [Next-generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) -- [Endpoint detection and response](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) -- [Automated investigation & remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) +- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) From 44c4fbf6396ca58b9b8ac058e1a73fe8902b9e9f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 13:42:27 -0800 Subject: [PATCH 020/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ae042deaee..ffdbda504e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -80,11 +80,13 @@ Depending on the apps your organization is using, you might be getting false pos An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. -To define exclusions across Microsoft Defender for Endpoint, you must perform at least two kinds of tasks: -- Define exclusions for Microsoft Defender Antivirus (you do this by editing an existing antivirus policy or by creating a new policy) -- Create “allow” indicators for Microsoft Defender for Endpoint () +To define exclusions across Microsoft Defender for Endpoint, you perform these two tasks: +- Define exclusions for Microsoft Defender Antivirus +- Create “allow” indicators for Microsoft Defender for Endpoint -You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. + +The procedures in this section describe how to define exclusions and indicators. ### Exclusions for Microsoft Defender Antivirus From 2a62143a863c9cac8d8a0ed1092bcd69b5bee3c9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 13:43:08 -0800 Subject: [PATCH 021/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ffdbda504e..e6f69698aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -90,7 +90,7 @@ The procedures in this section describe how to define exclusions and indicators. ### Exclusions for Microsoft Defender Antivirus -In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions. +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. > [!TIP] > Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). From b02a689fcabe64b16fef1247e8ccc188bf8654b6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 13:51:31 -0800 Subject: [PATCH 022/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e6f69698aa..06cebc920f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -117,9 +117,9 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -*Allow indicators for false positives; block indicators for false negatives. https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators* +Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. -To specify files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. "Allow" indicators prevent the following capabilities of Microsoft Defender for Endpoint from taking action on entities: +To specify entities, such as files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) From 8dcc9193719eca758c78c4a28af7ed1b7508ebff Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 14:13:59 -0800 Subject: [PATCH 023/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 06cebc920f..7b10b4055e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -119,13 +119,18 @@ In general, you should not need to define exclusions for Microsoft Defender Anti Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. -To specify entities, such as files, IP addresses, URLs, domains, and certificates as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: +To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) +You can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): +- [Learn more about indicators](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-file) +- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) +- [Create an indicator for an application certificate](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) ## Submit a file for analysis From 686d53ec8af732d9193d252fbcdd800446163efa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 14:21:59 -0800 Subject: [PATCH 024/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7b10b4055e..870ce280d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -132,6 +132,9 @@ You can create indicators for files, IP addresses, URLs, domains, and certificat - [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) - [Create an indicator for an application certificate](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) +> [!TIP] +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. + ## Submit a file for analysis *https://www.microsoft.com/wdsi/filesubmission/* From e371bbcd198bee71ae509467d145686035ea23f8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 15:21:53 -0800 Subject: [PATCH 025/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 23 +++++++++++++------ 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 870ce280d6..21a9dffad4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -119,21 +119,30 @@ In general, you should not need to define exclusions for Microsoft Defender Anti Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: +To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -You can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): -- [Learn more about indicators](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-file) -- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) -- [Create an indicator for an application certificate](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) +- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) +- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) +- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) > [!TIP] -> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the information, including prerequisites, + +## Classify a false positive or false negative + +### Suppress alerts for a false positive + +To suppress an alert, you create an alert suppression rule. + +1. Go to the Microsoft Defender Security Center () + ## Submit a file for analysis From 593e88abae3a0d4d650d43d98d09f6e9d9d2fdb5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Jan 2021 15:32:05 -0800 Subject: [PATCH 026/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 21a9dffad4..ee2d488676 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -137,12 +137,17 @@ Your security team can create indicators for files, IP addresses, URLs, domains, ## Classify a false positive or false negative -### Suppress alerts for a false positive +### Classify an alert as a false positive -To suppress an alert, you create an alert suppression rule. +Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. -1. Go to the Microsoft Defender Security Center () +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert that is a false positive. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. +> [!TIP] +> For more details about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). ## Submit a file for analysis From b4a2125bc097ea67e3ba0aa56316323feb1c81a4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 11:38:36 -0800 Subject: [PATCH 027/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ee2d488676..5f0e8172e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -137,6 +137,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains, ## Classify a false positive or false negative +As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + +### Suppress an alert + + + ### Classify an alert as a false positive Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. From 33bdd42057de9d1c7d326fedfbf3c1ed59ab24f2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 11:43:57 -0800 Subject: [PATCH 028/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5f0e8172e9..2a143eeeca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In Microsoft Defender for Endpoint, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. ## Review your threat protection settings From 03455cece21ba363366bd6962c0a8b62a5251de8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 11:53:37 -0800 Subject: [PATCH 029/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2a143eeeca..5e214daece 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,11 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: +- Reviewing your threat protection settings and making adjustments where needed +- + +If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. ## Review your threat protection settings From 5eddcebd712edab6b9dd9822886e3e4571db2c3d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:06:56 -0800 Subject: [PATCH 030/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5e214daece..7e8b9fe917 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,11 +31,14 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In the area of endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: -- Reviewing your threat protection settings and making adjustments where needed -- +In endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: +- [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); +- [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); +- [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); +- [Submitting files for further analysis](#submit-a-file-for-analysis); and +- [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). -If you’re using Microsoft Defender for Endpoint, and you're seeing false positives or negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +If you’re using Microsoft Defender for Endpoint, and you're seeing false positives/negatives in your Microsoft Defender Security Center, use this article as a guide to take action. ## Review your threat protection settings From 19182cc41478da89fd15c381c01a4c9f80ff1cdd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:15:08 -0800 Subject: [PATCH 031/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7e8b9fe917..a77c24e5c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -38,7 +38,7 @@ In endpoint protection, a false positive is an entity, such as a file or process - [Submitting files for further analysis](#submit-a-file-for-analysis); and - [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). -If you’re using Microsoft Defender for Endpoint, and you're seeing false positives/negatives in your Microsoft Defender Security Center, use this article as a guide to take action. +If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. ## Review your threat protection settings @@ -168,4 +168,6 @@ Your security team can classify an alert as a false positive in the Microsoft De ## Confirm your software uses EV code signing -*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* \ No newline at end of file +*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* + +## Still need help? \ No newline at end of file From b76685aa6938c547cafd7b397aa2e606759fc87d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:22:20 -0800 Subject: [PATCH 032/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index a77c24e5c2..1881a1f688 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -42,7 +42,7 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w ## Review your threat protection settings -Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - Cloud-delivered protection - Remediation for potentially unwanted apps (PUA) @@ -85,13 +85,13 @@ Depending on the apps your organization is using, you might be getting false pos ## Review or define exclusions for Microsoft Defender for Endpoint -An exclusion is an entity that you specify as an exception to remediation. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. +An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. -To define exclusions across Microsoft Defender for Endpoint, you perform these two tasks: +To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: - Define exclusions for Microsoft Defender Antivirus - Create “allow” indicators for Microsoft Defender for Endpoint -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. The procedures in this section describe how to define exclusions and indicators. From 04ec92cf634ec8ddfb09c0ba1692039b10f1ff4a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:41:26 -0800 Subject: [PATCH 033/116] Update defender-endpoint-false-positives-negatives.md --- ...defender-endpoint-false-positives-negatives.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1881a1f688..8db2bfbd67 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -51,7 +51,20 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. -See [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) +We recommend using Microsoft Endpoint Manager to edit your cloud-delivered protection settings. + +#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose Endpoint security > Antivirus and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +5. Choose **Review + save**, and then **Save**. + + + +> [!TIP] +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) ### Remediation for potentially unwanted applications (PUA) From 05b7341aee7a6b1c2d39f90f5eebe8fc9adc5f9c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:42:15 -0800 Subject: [PATCH 034/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8db2bfbd67..1a74f33fa5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -56,12 +56,12 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose Endpoint security > Antivirus and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure). +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). 3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. 4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. - +#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) From cdd241e8d99345b9797dfc7a4175c2b2b0236976 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:49:22 -0800 Subject: [PATCH 035/116] Update TOC.md --- windows/security/threat-protection/TOC.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 4fd85c48d2..d64cf954ff 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -508,6 +508,8 @@ #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) +### [Address false positives/negatives in Microsoft Defender for Endpoint](microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) + ### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md) ## Reference From cdde314ed51395c2fc9aee94d6fcdbff2fbedbb2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 12:49:34 -0800 Subject: [PATCH 036/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1a74f33fa5..22e7b90793 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -63,6 +63,8 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy + + > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) From 68ea7ac163b7f95c072adcbad71e11f583111b3e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 13:28:26 -0800 Subject: [PATCH 037/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 22e7b90793..1ef9284ac9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -44,8 +44,8 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: -- Cloud-delivered protection -- Remediation for potentially unwanted apps (PUA) +- [Cloud-delivered protection](#cloud-delivered-protection) +- [Remediation for potentially unwanted apps](#remediation-for-potentially-unwanted-applications-pua) (PUA) ### Cloud-delivered protection @@ -55,11 +55,11 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). -3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. -4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. -5. Choose **Review + save**, and then **Save**. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). +3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +5. Choose **Review + save**, and then **Save**. #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy From 9422afe00f6e835c8fbc33b7259acc60f144d893 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 13:43:24 -0800 Subject: [PATCH 038/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1ef9284ac9..cfe7df33b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -38,7 +38,7 @@ In endpoint protection, a false positive is an entity, such as a file or process - [Submitting files for further analysis](#submit-a-file-for-analysis); and - [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). -If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. ## Review your threat protection settings @@ -63,7 +63,8 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy - +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) From a25292e549f421e316dc663adfa53259a74c9e1a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 13:59:55 -0800 Subject: [PATCH 039/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index cfe7df33b6..c0b9058440 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -64,7 +64,14 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote #### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. +2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**. +3. For **Platform**, select an option, and then for **Profile**, select **Antivirus** or **Microsoft Defender Antivirus** (the specific option depends on what you selected for **Platform**.) Then choose **Create**. +4. On the **Basics** tab, specify a name and description for the policy. Then choose **Next**. +5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: + - Set **Turn on cloud-delivered protection** to **Yes**. + - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) +6. On the **Scope tags** tab, + > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) @@ -135,7 +142,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 5. Specify a name and description for the profile, and then choose **Next**. 6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. 7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) -8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. ### Indicators for Microsoft Defender for Endpoint From 07713c98772ee3af4565a1b149553e519daf4dd1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:02:25 -0800 Subject: [PATCH 040/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index c0b9058440..41a001d354 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -51,6 +51,9 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. +> [!TIP] +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) + We recommend using Microsoft Endpoint Manager to edit your cloud-delivered protection settings. #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings @@ -70,11 +73,12 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: - Set **Turn on cloud-delivered protection** to **Yes**. - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) -6. On the **Scope tags** tab, +6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + -> [!TIP] -> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) ### Remediation for potentially unwanted applications (PUA) From 70896026c3c8aede5837401ed9e3ef30efdd2c84 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:08:28 -0800 Subject: [PATCH 041/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 41a001d354..60b333fb5f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -77,9 +77,6 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. - - - ### Remediation for potentially unwanted applications (PUA) Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. @@ -175,6 +172,8 @@ As alerts are triggered, if you see something that was detected as malicious or ### Suppress an alert +You can suppress an alert in the Microsoft Defender Security Center. + ### Classify an alert as a false positive From c89b09bdf3e1c53a30105dd41db70db9dfc2d9d2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:13:56 -0800 Subject: [PATCH 042/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 60b333fb5f..b9a77466b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -103,7 +103,7 @@ Depending on the apps your organization is using, you might be getting false pos 4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. 5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. 6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn PUA protection off, but by using audit mode, you will be able to see detections.) -7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).) +7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. From 04b09667e6a2174745db3d5891431b0466f6844a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:22:26 -0800 Subject: [PATCH 043/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b9a77466b5..1ea52853e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -42,7 +42,7 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w ## Review your threat protection settings -Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine tune settings for various features and capabilities. If you’re getting a lot of false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - [Cloud-delivered protection](#cloud-delivered-protection) - [Remediation for potentially unwanted apps](#remediation-for-potentially-unwanted-applications-pua) (PUA) @@ -73,7 +73,7 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: - Set **Turn on cloud-delivered protection** to **Yes**. - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) -6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. @@ -138,7 +138,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. -3. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server). +3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). 4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. 5. Specify a name and description for the profile, and then choose **Next**. 6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. From e3b8b22f857727ef5deb18bd5f8ad38e72aaa5c8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:23:04 -0800 Subject: [PATCH 044/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1ea52853e9..4e7efcd55a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -102,7 +102,7 @@ Depending on the apps your organization is using, you might be getting false pos 3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**. 4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. 5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. -6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn PUA protection off, but by using audit mode, you will be able to see detections.) +6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn off PUA protection, but by using audit mode, you will be able to see detections.) 7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. @@ -115,7 +115,7 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi - Define exclusions for Microsoft Defender Antivirus - Create “allow” indicators for Microsoft Defender for Endpoint -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indcators for Microsoft Defender for Endpoint. +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. The procedures in this section describe how to define exclusions and indicators. @@ -186,7 +186,7 @@ Your security team can classify an alert as a false positive in the Microsoft De 4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. > [!TIP] -> For more details about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). +> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). ## Submit a file for analysis From a0d3c8e46811e7101948011a7789634861d87425 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:33:09 -0800 Subject: [PATCH 045/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4e7efcd55a..e022ecd644 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -156,7 +156,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center([https://securitycenter.windows.com](https://securitycenter.windows.com)): +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): - [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) - [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) From 85f16c130ea0dc4a512631922c48d838936c6249 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:34:27 -0800 Subject: [PATCH 046/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e022ecd644..e6352c7739 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or process, that was detected and identified as malicious, when, in fact, the entity does not pose a threat. A false negative is an entity that was not detected as a threat even though it is, in fact, malicious. The process of addressing false positives/negatives can include: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity is not actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: - [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); - [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); - [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); From 829d15f748361815e2953a10f2b33726c5a13c5b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:36:34 -0800 Subject: [PATCH 047/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e6352c7739..d1a1651c05 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity is not actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: - [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); - [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); - [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); From 13ea23be0e54cf823514a89cb1e7aae5e518520b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:37:49 -0800 Subject: [PATCH 048/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d1a1651c05..692b8001f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,9 +54,9 @@ Check your cloud-delivered protection level for Microsoft Defender Antivirus. By > [!TIP] > To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) -We recommend using Microsoft Endpoint Manager to edit your cloud-delivered protection settings. +We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings. -#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings +#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). @@ -64,7 +64,7 @@ We recommend using Microsoft Endpoint Manager to edit your cloud-delivered prote 4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. -#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings for a new antivirus policy +#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**. From d1f235b8097193002b28a4845aca1a6684d95a19 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:39:35 -0800 Subject: [PATCH 049/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 692b8001f3..79bd50bdb6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -77,16 +77,18 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere 8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) 9. On the **Review + create** tab, review the settings, and then choose **Create**. -### Remediation for potentially unwanted applications (PUA) +### Remediation for potentially unwanted applications Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. +We recommend using Microsoft Endpoint Manager to edit or set PUA protection settings. + > [!TIP] > To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). -#### Use Microsoft Endpoint Manager to edit PUA protection for existing configuration profiles +#### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile)). @@ -95,7 +97,7 @@ Depending on the apps your organization is using, you might be getting false pos 5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) 6. Choose **Review + save**, and then choose **Save**. -#### Use Microsoft Endpoint Manager to set PUA protection for a new configuration profile +#### Use Microsoft Endpoint Manager to set PUA protection (for a new configuration profile) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. From f4e06d3edda8d7e7463982471adf3c7d6758f10c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 14:43:30 -0800 Subject: [PATCH 050/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 79bd50bdb6..945fa7046e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -59,7 +59,7 @@ We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivere #### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-antivirus-policy)). +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)). 3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. 4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. 5. Choose **Review + save**, and then **Save**. @@ -91,7 +91,7 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett #### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile)). +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).) 3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. 4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. 5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) From 491246ff122991f20713e366ac4ec1f680b9c3fd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:06:40 -0800 Subject: [PATCH 051/116] Update defender-endpoint-false-positives-negatives.md --- ...fender-endpoint-false-positives-negatives.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 945fa7046e..5bdb3bdb43 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -114,8 +114,8 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: -- Define exclusions for Microsoft Defender Antivirus -- Create “allow” indicators for Microsoft Defender for Endpoint +- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) +- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. @@ -128,15 +128,15 @@ In general, you should not need to define exclusions for Microsoft Defender Anti > [!TIP] > Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). -#### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies +#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-an-antivirus-policy-with-exclusions)). +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). 3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. 4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. 5. Choose **Review + save**, and then choose **Save**. -#### Use Microsoft Endpoint Manager to create an antivirus policy with exclusions +#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. 2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. @@ -150,7 +150,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -Indicators enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: @@ -176,7 +176,10 @@ As alerts are triggered, if you see something that was detected as malicious or You can suppress an alert in the Microsoft Defender Security Center. - +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. ### Classify an alert as a false positive From 212169b3961958a332cc25fb70c2bcd29574198e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:14:08 -0800 Subject: [PATCH 052/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5bdb3bdb43..573573fee3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -179,7 +179,11 @@ You can suppress an alert in the Microsoft Defender Security Center. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, select **Alerts queue**. 3. Select an alert that you want to suppress to open its **Details** pane. -4. +4. In the **Details** pane, choose the ellipsis (`...`), and then choose **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. + +> [!TIP] +> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). ### Classify an alert as a false positive From 9e0135d6f6a59131cb024d703f52e3a92b8f46bb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:25:45 -0800 Subject: [PATCH 053/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 573573fee3..eb27f493c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -195,11 +195,16 @@ Your security team can classify an alert as a false positive in the Microsoft De 4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. > [!TIP] -> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). +> - For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). +> - If your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. ## Submit a file for analysis -*https://www.microsoft.com/wdsi/filesubmission/* +You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. + +1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). + +2. Visit the Microsoft Security Intelligence submission site at [https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission), and submit your file(s). ## Confirm your software uses EV code signing From 6492201cda1c123429423f82730c684011c90521 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:34:23 -0800 Subject: [PATCH 054/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index eb27f493c0..d6efaf4c7c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,6 +208,8 @@ You can submit files, such as false positives or false negatives, to Microsoft f ## Confirm your software uses EV code signing +As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. + *Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* ## Still need help? \ No newline at end of file From 0d77afe588ae2158bf2495fc44e7e9a10c0ba20f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:36:11 -0800 Subject: [PATCH 055/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d6efaf4c7c..9894246277 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -200,7 +200,7 @@ Your security team can classify an alert as a false positive in the Microsoft De ## Submit a file for analysis -You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. +You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. 1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). From 6e94b9e5ea0af085ae814ffae0b05de0f714418e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:41:02 -0800 Subject: [PATCH 056/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9894246277..566483d5ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,7 +208,7 @@ You can submit files, such as false positives or false negatives, to Microsoft f ## Confirm your software uses EV code signing -As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. +As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. *Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* From 1f7a3c6aed3a8baddd7a7949e51c9779f114e90a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:45:25 -0800 Subject: [PATCH 057/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 566483d5ad..8ccb2a1464 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -208,7 +208,7 @@ You can submit files, such as false positives or false negatives, to Microsoft f ## Confirm your software uses EV code signing -As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. +As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. *Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* From 8e578d849a19ec35472d887e21d229914248975a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 15:49:01 -0800 Subject: [PATCH 058/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8ccb2a1464..5fd958105a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -210,6 +210,9 @@ You can submit files, such as false positives or false negatives, to Microsoft f As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. -*Some info is available here: https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate* +Want to learn more? See the following resources: + +- [Microsoft Security Blog: Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/) +- [Get a code signing certificate](https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate) ## Still need help? \ No newline at end of file From 1850364615dcad85b73c3acc1695fe72e86a6711 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 16:01:55 -0800 Subject: [PATCH 059/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5fd958105a..20d9296951 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -215,4 +215,10 @@ Want to learn more? See the following resources: - [Microsoft Security Blog: Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/) - [Get a code signing certificate](https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate) -## Still need help? \ No newline at end of file +## Still need help? + +If you still need help after working through all the steps in this article, your best bet is to contact technical support. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. +3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. \ No newline at end of file From 55266f36a6982d43f1fb1942165eb0d78873efae Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 16:03:50 -0800 Subject: [PATCH 060/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 20d9296951..c0cf213302 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: - [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); - [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); - [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); From ce22afb841af4e3c5fbd31bf252c12c22eb5ecb4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Jan 2021 16:04:36 -0800 Subject: [PATCH 061/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index c0cf213302..372f40c539 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -204,7 +204,7 @@ You can submit files, such as false positives or false negatives, to Microsoft f 1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). -2. Visit the Microsoft Security Intelligence submission site at [https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission), and submit your file(s). +2. Visit the Microsoft Security Intelligence submission ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). ## Confirm your software uses EV code signing From a000c63a559273bb537cab48c9b29396640984a0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Jan 2021 11:32:59 -0800 Subject: [PATCH 062/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 372f40c539..7b7d214f5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/15/2021 +ms.date: 01/19/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -52,7 +52,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. > [!TIP] -> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus) +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus). We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings. From 590d25d31b798511becfa79d2b5a3d675cfbfc90 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Jan 2021 12:07:38 -0800 Subject: [PATCH 063/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 7b7d214f5c..ec326b2612 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -150,7 +150,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain IP addresses or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: From 273dd4589a029b55cba7ce0795732b721f4c50fc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Jan 2021 12:09:11 -0800 Subject: [PATCH 064/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ec326b2612..aa6c823ab6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -152,7 +152,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators. Such "allow" indicators apply to the following capabilities in Microsoft Defender for Endpoint: +To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) From c466bf04c640455788b97a07d5a031617adb1a85 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:47:46 -0800 Subject: [PATCH 065/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index aa6c823ab6..473172524a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -166,7 +166,15 @@ Your security team can create indicators for files, IP addresses, URLs, domains, - [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) > [!TIP] -> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the information, including prerequisites, +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). + +| Indicator type | Prerequisites | Notes | +|----|----|---| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled.

Your antimalware client version is must be 4.18.1901.x or later.

Your devices are must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action

Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | + + + + ## Classify a false positive or false negative From 5eb90ebe273a332b300d734c429c492da1382cb3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:51:21 -0800 Subject: [PATCH 066/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 473172524a..b8a979b127 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -171,6 +171,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | Notes | |----|----|---| |Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled.

Your antimalware client version is must be 4.18.1901.x or later.

Your devices are must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action

Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | + + + + + From e8f163965b5dbb0b5d731d0be21fe66ffd47d26e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:58:24 -0800 Subject: [PATCH 067/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b8a979b127..8122abd1da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -170,8 +170,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | Notes | |----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled.

Your antimalware client version is must be 4.18.1901.x or later.

Your devices are must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action

Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | | IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | + + + From 66c7569f3377716bba0b8e5e9afad6a8308ddb6c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:59:26 -0800 Subject: [PATCH 068/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8122abd1da..f5ce4cceed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -172,7 +172,8 @@ Your security team can create indicators for files, IP addresses, URLs, domains, |----|----|---| |Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | | IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | + From 08442412663eeb9785fb3a9a1d189c1f0b2dd354 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 10:59:58 -0800 Subject: [PATCH 069/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f5ce4cceed..5d51a6f36d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -174,19 +174,6 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | | Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | - - - - - - - - - - - - - ## Classify a false positive or false negative As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. From 0b2d7ab3e403ea122bd6e5aa85b23cc645cdb053 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Jan 2021 16:08:22 -0800 Subject: [PATCH 070/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5d51a6f36d..2242561c26 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/19/2021 +ms.date: 01/21/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro From f7b513116952b788788b1856b6fc3ed945558a00 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:14:46 -0800 Subject: [PATCH 071/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2242561c26..1083895ed8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/21/2021 +ms.date: 01/22/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro From cc97ce85b1d8549daebc662e47e134c7f1df2b32 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:27:52 -0800 Subject: [PATCH 072/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 95 +++++++++++++++++-- 1 file changed, 89 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 1083895ed8..0a7de859a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,15 +31,98 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include: -- [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings); -- [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint); -- [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative); -- [Submitting files for further analysis](#submit-a-file-for-analysis); and -- [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing). +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: + +1. Reviewing and classifying alerts +2. Reviewing remediation actions that were taken +3. Reviewing and defining exclusions +4. Submitting an entity for analysis +5. Reviewing your threat protection settings If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +## Review and classify alerts + +If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed. + +Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + +### Determine whether an alert is accurate + +Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. +1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in. +2. In the navigation pane, choose **Alerts queue**. +3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) +4. Take one of the following steps: + - If the alert is accurate, assign and investigate the alert further. + - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. + - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. + +### Classify an alert as a false positive + +Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert that is a false positive. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. + +> [!TIP] +> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. + +### Suppress an alert + +If you have alerts that are either false positives or are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. In the **Details** pane, choose the ellipsis (**...**), and then choose **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. + +> [!TIP] +> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). + +## Review remediation actions + +[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include: +- Quarantine a file +- Remove a registry key +- Kill a process +- Stop a service +- Disable a driver +- Remove a scheduled task + +Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone. + +### Review completed actions + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab. +3. Select an item to view more details about the remediation action that was taken. + +If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. Remediation actions that you can undo include the following: +- Isolate device +- Restrict code execution +- Quarantine a file +- Remove a registry key +- Stop a service +- Disable a driver +- Remove a scheduled task + +### To undo an action + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select an action that you want to undo. +3. In the flyout pane, select **Undo**. (If the action cannot be undone with this method, you will not see an **Undo** button.) + +### To undo multiple actions at one time + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select the actions that you want to undo. +3. In the pane on the right side of the screen, select **Undo**. + + ## Review your threat protection settings Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: From a5c3e6656d506074a70daafa4d2842b74139b586 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:29:36 -0800 Subject: [PATCH 073/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 130 +++++++++--------- 1 file changed, 66 insertions(+), 64 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 0a7de859a9..4f8b62add6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -122,6 +122,72 @@ If you find that a remediation action was taken automatically on an entity that 2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**. +## Review or define exclusions for Microsoft Defender for Endpoint + +An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. + +To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: +- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) +- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) + +Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. + +The procedures in this section describe how to define exclusions and indicators. + +### Exclusions for Microsoft Defender Antivirus + +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. + +> [!TIP] +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). +3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. +4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. +5. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. +3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). +4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. +5. Specify a name and description for the profile, and then choose **Next**. +6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + +### Indicators for Microsoft Defender for Endpoint + +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. + +To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) +- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) + +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): + +- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) +- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) +- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) + +> [!TIP] +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). + +| Indicator type | Prerequisites | Notes | +|----|----|---| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | + + ## Review your threat protection settings @@ -192,70 +258,6 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. -## Review or define exclusions for Microsoft Defender for Endpoint - -An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. - -To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: -- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) -- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) - -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. - -The procedures in this section describe how to define exclusions and indicators. - -### Exclusions for Microsoft Defender Antivirus - -In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. - -> [!TIP] -> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). - -#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) - -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). -3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. -4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. -5. Choose **Review + save**, and then choose **Save**. - -#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions - -1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. -2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. -3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). -4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. -5. Specify a name and description for the profile, and then choose **Next**. -6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. -7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) -8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) -9. On the **Review + create** tab, review the settings, and then choose **Create**. - -### Indicators for Microsoft Defender for Endpoint - -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. - -To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: - -- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) -- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) -- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) - -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): - -- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) -- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) -- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) - -> [!TIP] -> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). - -| Indicator type | Prerequisites | Notes | -|----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | ## Classify a false positive or false negative From 4cb7b0ff725dc24fdb77c1f92523830eada4333f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:49:02 -0800 Subject: [PATCH 074/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 111 ++++++++---------- 1 file changed, 47 insertions(+), 64 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4f8b62add6..cb0ee4077d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,7 +33,7 @@ ms.custom: FPFN In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: -1. Reviewing and classifying alerts +1. [Reviewing and classifying alerts](#review-and-classify-alerts) 2. Reviewing remediation actions that were taken 3. Reviewing and defining exclusions 4. Submitting an entity for analysis @@ -47,10 +47,12 @@ If your security operations team see an alert that was triggered because somethi Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + ### Determine whether an alert is accurate Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. -1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) 4. Take one of the following steps: @@ -60,7 +62,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat ### Classify an alert as a false positive -Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. +Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the **Alerts queue**. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Select **Alerts queue**, and then select an alert that is a false positive. @@ -110,13 +112,13 @@ If you find that a remediation action was taken automatically on an entity that - Disable a driver - Remove a scheduled task -### To undo an action +### Undo an action 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select an action that you want to undo. 3. In the flyout pane, select **Undo**. (If the action cannot be undone with this method, you will not see an **Undo** button.) -### To undo multiple actions at one time +### Undo multiple actions at one time 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. 2. On the **History** tab, select the actions that you want to undo. @@ -163,7 +165,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: @@ -171,23 +173,52 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): +Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) -- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file) -- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) -- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) +| Indicator type | Prerequisites | Notes | +|----|----|---| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). -| Indicator type | Prerequisites | Notes | -|----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version must be 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Your antimalware client version must be 4.18.1906.x or later.

Your devices must be running Windows 10, version 1709 or later

Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Your antimalware client version must be 4.18.1901.x or later.

Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | +## Submit a file for analysis +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. +### Submit a file for analysis + +If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis. + +1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). + +### Submit a fileless detection for analysis + +If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. + +1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run ** MpCmdRun.exe** as an administrator. +2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. + A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. +3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +4. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your .cab files. + +### What happens after a file is submitted? + +Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. It’s possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly. + +For submissions that were not already processed, they are prioritized for analysis as follows: + +- Prevalent files with the potential to impact large numbers of computers are given a higher priority. +- Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given a higher priority. +- Submissions flagged as high priority by SAID holders are given immediate attention. + +To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission). + +> [!TIP] +> To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions). ## Review your threat protection settings @@ -258,54 +289,6 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. - -## Classify a false positive or false negative - -As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. - -### Suppress an alert - -You can suppress an alert in the Microsoft Defender Security Center. - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. -2. In the navigation pane, select **Alerts queue**. -3. Select an alert that you want to suppress to open its **Details** pane. -4. In the **Details** pane, choose the ellipsis (`...`), and then choose **Create a suppression rule**. -5. Specify all the settings for your suppression rule, and then choose **Save**. - -> [!TIP] -> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). - -### Classify an alert as a false positive - -Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue. - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. -2. Select **Alerts queue**, and then select an alert that is a false positive. -3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. -4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. - -> [!TIP] -> - For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). -> - If your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. - -## Submit a file for analysis - -You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. - -1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). - -2. Visit the Microsoft Security Intelligence submission ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). - -## Confirm your software uses EV code signing - -As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process. - -Want to learn more? See the following resources: - -- [Microsoft Security Blog: Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/) -- [Get a code signing certificate](https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate) - ## Still need help? If you still need help after working through all the steps in this article, your best bet is to contact technical support. From 5b04617b295d16a1106326c79c481534acd475fe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:50:56 -0800 Subject: [PATCH 075/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index cb0ee4077d..69d5634efb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -19,7 +19,7 @@ ms.collection: - m365-security-compliance - m365initiative-defender-endpoint ms.topic: conceptual -ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola ms.custom: FPFN --- @@ -34,10 +34,10 @@ ms.custom: FPFN In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: 1. [Reviewing and classifying alerts](#review-and-classify-alerts) -2. Reviewing remediation actions that were taken -3. Reviewing and defining exclusions -4. Submitting an entity for analysis -5. Reviewing your threat protection settings +2. [Reviewing remediation actions that were taken](#review-remediation-actions) +3. [Reviewing and defining exclusions](#review-or-define-exclusions-for-microsoft-defender-for-endpoint) +4. [Submitting an entity for analysis](#submit-a-file-for-analysis) +5. [Reviewing your threat protection settings](#review-your-threat-protection-settings) If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. From af20c1f8c8f7088cdd22e4c189ab37f64fcfc0f4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:53:42 -0800 Subject: [PATCH 076/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 69d5634efb..dd7dfd3caa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -103,7 +103,7 @@ Other actions, such as starting an antivirus scan or collecting an investigation 2. Select the **History** tab. 3. Select an item to view more details about the remediation action that was taken. -If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. Remediation actions that you can undo include the following: +If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. You can undo the following remediation actions: - Isolate device - Restrict code execution - Quarantine a file @@ -178,7 +178,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | Notes | |----|----|---| |Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | | Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | > [!TIP] From 5596fcc20ce34f2ef0ec31a0c5f2112e18140cd4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:54:20 -0800 Subject: [PATCH 077/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index dd7dfd3caa..977f0216f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -4,8 +4,8 @@ description: Learn how to handle false positives or false negatives in Microsoft keywords: alert, exclusion, defender atp, false positive, false negative search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security From 384d221117fb45f3da607eb5d2c907d3284f4c6e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:58:11 -0800 Subject: [PATCH 078/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 977f0216f7..820e4412bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -175,11 +175,11 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -| Indicator type | Prerequisites | Notes | -|----|----|---| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | +| Indicator type | Prerequisites | +|:----|:----| +|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file).

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From e06f4cba036a2a9599136aff2de740050b8168ac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:59:20 -0800 Subject: [PATCH 079/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 820e4412bb..81d6258ac3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -177,8 +177,8 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|Files

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file).

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | -| IP addresses and URLs

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] From 5912f7dd084c88e5e4b1af9e08edbecbdb101b71 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 20:59:45 -0800 Subject: [PATCH 080/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 81d6258ac3..9e6d2a7b81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -179,7 +179,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, |:----|:----| |**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | | **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| Certificates

`.CER` or `.PEM` file extensions are supported.

[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From bfee91e04c29c9cb209372e135e9a521d8109666 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:00:49 -0800 Subject: [PATCH 081/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9e6d2a7b81..6f17620125 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -177,7 +177,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | | **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **Certificates**

`.CER` or `.PEM` file extensions are supported.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | From da2f03ef717aa23a0e3a86c7f81ee598a4ba9ddf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:04:10 -0800 Subject: [PATCH 082/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 6f17620125..2896e64818 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -33,21 +33,20 @@ ms.custom: FPFN In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: -1. [Reviewing and classifying alerts](#review-and-classify-alerts) -2. [Reviewing remediation actions that were taken](#review-remediation-actions) -3. [Reviewing and defining exclusions](#review-or-define-exclusions-for-microsoft-defender-for-endpoint) -4. [Submitting an entity for analysis](#submit-a-file-for-analysis) -5. [Reviewing your threat protection settings](#review-your-threat-protection-settings) +1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) +2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) +3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) +4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) +5. [Reviewing your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. -## Review and classify alerts +## Part 1: Review and classify alerts If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed. Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. - ### Determine whether an alert is accurate Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. @@ -85,7 +84,7 @@ If you have alerts that are either false positives or are for unimportant events > [!TIP] > Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). -## Review remediation actions +## Part 2: Review remediation actions [Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include: - Quarantine a file @@ -124,7 +123,7 @@ If you find that a remediation action was taken automatically on an entity that 2. On the **History** tab, select the actions that you want to undo. 3. In the pane on the right side of the screen, select **Undo**. -## Review or define exclusions for Microsoft Defender for Endpoint +## Part 3: Review or define exclusions for Microsoft Defender for Endpoint An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. @@ -184,7 +183,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). -## Submit a file for analysis +## Part 4: Submit a file for analysis You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. @@ -220,7 +219,7 @@ To check for updates regarding your submission, sign in at the [Microsoft Securi > [!TIP] > To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions). -## Review your threat protection settings +## Part 5: Review and adjust your threat protection settings Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: From 21b877a8f0c60800a12928292c28c5fb344975d0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:08:15 -0800 Subject: [PATCH 083/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 2896e64818..8061a0af30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -176,9 +176,9 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | -| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | +| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 88a45ee671d150a2c6f0450362b878debfd7df74 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:09:24 -0800 Subject: [PATCH 084/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8061a0af30..5b2bb0e35f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -178,7 +178,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains, |:----|:----| |**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | | **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019

Virus and threat protection definitions are up to date. | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date. | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 616ad2ad31e4cbb6c8c9511d36dc7a7aff9150b9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 21 Jan 2021 21:10:00 -0800 Subject: [PATCH 085/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5b2bb0e35f..b7016cc7ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -37,7 +37,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) 3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) -5. [Reviewing your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) +5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. From 99e5ed848cfe0fd4aec8adcd57b8f85e02c0f637 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:45:39 -0800 Subject: [PATCH 086/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index b7016cc7ba..0a4832febe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -43,7 +43,7 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w ## Part 1: Review and classify alerts -If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed. +If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. @@ -54,7 +54,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Take one of the following steps: +4. Take one of the following steps:
- If the alert is accurate, assign and investigate the alert further. - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. @@ -294,4 +294,9 @@ If you still need help after working through all the steps in this article, your 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. -3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. \ No newline at end of file +3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. + +## See also + +[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) + \ No newline at end of file From f508a1704b5862d2f228eaeef81762e2134cc59d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:47:49 -0800 Subject: [PATCH 087/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 0a4832febe..a05b00432f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,10 +54,10 @@ Before you classify or suppress an alert, determine whether the alert is accurat 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Take one of the following steps:
- - If the alert is accurate, assign and investigate the alert further. - - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. - - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. +4. Take one of the following steps:
+ - If the alert is accurate, assign and investigate the alert further. + - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. + - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. ### Classify an alert as a false positive From f143d389fc4fe91e7feccc6d6986f9642b7b5443 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:56:42 -0800 Subject: [PATCH 088/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index a05b00432f..e21d65054d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -31,7 +31,7 @@ ms.custom: FPFN - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes: +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: 1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) 2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) @@ -39,7 +39,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) -If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. ## Part 1: Review and classify alerts @@ -55,18 +55,21 @@ Before you classify or suppress an alert, determine whether the alert is accurat 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) 4. Take one of the following steps:
- - If the alert is accurate, assign and investigate the alert further. - - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint. - - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert. -### Classify an alert as a false positive + | Alert status | What to do | + |:---|:---| + | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | + | The alert is a false positive | Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

Also, create an indicator for Microsoft Defender for Endpoint. | + | The alert is accurate but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | -Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the **Alerts queue**. +### Classify an alert + +Your security team can classify an alert as a false positive or a true positive in the Microsoft Defender Security Center, in the **Alerts queue**. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Select **Alerts queue**, and then select an alert that is a false positive. 3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. -4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive. +4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) > [!TIP] > For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. From 87cbe724737cf5cd54d6bb7393c150d0ef345b2e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 13:59:31 -0800 Subject: [PATCH 089/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index e21d65054d..ebf9e149f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -179,9 +179,9 @@ Your security team can create indicators for files, IP addresses, URLs, domains, | Indicator type | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | -| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later.

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later.

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date. | +|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 7117e088936828f936875166dc99f7d0e6ee140b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:02:08 -0800 Subject: [PATCH 090/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index ebf9e149f7..5d5c8cd439 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -177,11 +177,11 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -| Indicator type | Prerequisites | +| Indicator | Prerequisites | |:----|:----| -|**Files**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.

**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **IP addresses and URLs**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)

**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC.

**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | +|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). From 313ba03c26e01250398b81e165f00a3eace1f715 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:02:39 -0800 Subject: [PATCH 091/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 5d5c8cd439..68985360e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -178,7 +178,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: | Indicator | Prerequisites | -|:----|:----| +|:----:|:----:| |**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | | **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | From 5fe58051f530f67580c42bea28161217a1c1387e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:07:15 -0800 Subject: [PATCH 092/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 68985360e9..cecea25f5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -76,7 +76,7 @@ Your security team can classify an alert as a false positive or a true positive ### Suppress an alert -If you have alerts that are either false positives or are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. +If you have alerts that are either false positives or that are true positives but are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, select **Alerts queue**. From 8960bc4e9c0b881a801a4e8f8ecb19e442b5494f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:07:51 -0800 Subject: [PATCH 093/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index cecea25f5e..d5976bd76c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -178,7 +178,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: | Indicator | Prerequisites | -|:----:|:----:| +|:----|:----| |**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | | **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | From f386ac4af4d8b6e9ae82cd3a12dd8112b92ccfb8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:10:31 -0800 Subject: [PATCH 094/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d5976bd76c..3342692fc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -302,4 +302,5 @@ If you still need help after working through all the steps in this article, your ## See also [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) - \ No newline at end of file + +[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) \ No newline at end of file From 28794addaf76195c266a81fbc9f42834482621b8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:17:17 -0800 Subject: [PATCH 095/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 3342692fc9..56ef4f1e45 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -59,8 +59,8 @@ Before you classify or suppress an alert, determine whether the alert is accurat | Alert status | What to do | |:---|:---| | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | - | The alert is a false positive | Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

Also, create an indicator for Microsoft Defender for Endpoint. | - | The alert is accurate but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | + | The alert is a false positive | 1. Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

2. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.

3. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | + | The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | ### Classify an alert From aabbcc4e3710334f83029829595e8bbd8d3f0749 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:18:46 -0800 Subject: [PATCH 096/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 56ef4f1e45..4cc8fd34a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -45,7 +45,7 @@ This article also includes information about [what to do if you still need help] If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. -Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. +Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. ### Determine whether an alert is accurate From 223f0f72df48f4d2163e19aa778a881ea8767469 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:21:00 -0800 Subject: [PATCH 097/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 4cc8fd34a3..48f1a3208e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -54,7 +54,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the navigation pane, choose **Alerts queue**. 3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) -4. Take one of the following steps:
+4. Depending on the alert status, take the steps described in the following table:
| Alert status | What to do | |:---|:---| From e4a721f0618a51e419046ab3d179b42160e08574 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:26:14 -0800 Subject: [PATCH 098/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 48f1a3208e..20fe6f78d4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -227,7 +227,7 @@ To check for updates regarding your submission, sign in at the [Microsoft Securi Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: - [Cloud-delivered protection](#cloud-delivered-protection) -- [Remediation for potentially unwanted apps](#remediation-for-potentially-unwanted-applications-pua) (PUA) +- [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications) ### Cloud-delivered protection From 9dafcb23f50b744dbc973442916eb7e335bbb52f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 22 Jan 2021 14:32:47 -0800 Subject: [PATCH 099/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 20fe6f78d4..195c784c4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -201,7 +201,7 @@ If you have a file that was either wrongly detected as malicious or was missed, If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. -1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run ** MpCmdRun.exe** as an administrator. +1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. 2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. 3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). From b7ac564fd79b1e104204a9c2155adb1968e9e98e Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 14:30:32 +0200 Subject: [PATCH 100/116] 1 --- .../microsoft-defender-atp/find-machines-by-tag.md | 13 ++++++++++--- .../get-discovered-vulnerabilities.md | 4 ++++ .../microsoft-defender-atp/get-domain-statistics.md | 7 ++++++- .../microsoft-defender-atp/get-file-statistics.md | 7 ++++++- .../microsoft-defender-atp/get-ip-statistics.md | 7 ++++++- .../get-missing-kbs-machine.md | 6 +++++- .../get-security-recommendations.md | 4 ++++ .../microsoft-defender-atp/import-ti-indicators.md | 2 +- 8 files changed, 42 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md index c077f850b8..e34e5962d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -32,7 +32,7 @@ ms.topic: article ## API description Find [Machines](machine.md) by [Tag](machine-tags.md). - +
```startswith``` query is supported. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. @@ -56,7 +56,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ## HTTP request ``` -GET /api/machines/findbytag(tag='{tag}') +GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false} ``` ## Request headers @@ -65,6 +65,13 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +tag | String | The tag name. **Required**. +useStartsWithFilter | Boolean | When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**. + ## Request body Empty @@ -78,5 +85,5 @@ If successful - 200 OK with list of the machines in the response body. Here is an example of the request. ``` -GET https://api.securitycenter.microsoft.com/api/machines/findbytag(tag='testTag') +GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true ``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md index 773a35d073..258209f10d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -30,8 +30,12 @@ ms.technology: mde [!include[Improve request performance](../../includes/improve-request-performance.md)] +## API description Retrieves a collection of discovered vulnerabilities related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index dda241406d..3720025ad9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -62,6 +62,11 @@ Header | Value :---|:--- Authorization | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -77,7 +82,7 @@ If successful and domain exists - 200 OK, with statistics object in the response Here is an example of the request. ``` -GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats +GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48 ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index 45c0c7f97f..ac9da34d73 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -62,6 +62,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -77,7 +82,7 @@ If successful and file exists - 200 OK with statistical data in the body. If fil Here is an example of the request. ``` -GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats +GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48 ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index e720d2f338..5ba7c77cd7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -63,6 +63,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -78,7 +83,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no Here is an example of the request. ```http -GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats +GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48 ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index 9ac01f22cf..abb4bd89f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -30,7 +30,11 @@ ms.technology: mde [!include[Improve request performance](../../includes/improve-request-performance.md)] -Retrieves missing KBs (security updates) by device ID +## API description +Retrieves missing KBs (security updates) by device ID. + +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. ## HTTP request diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index 1d2dfe41dd..f08ce4f926 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -31,8 +31,12 @@ ms.technology: mde [!include[Prerelease information](../../includes/prerelease.md)] +## API description Retrieves a collection of security recommendations related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md index 822e0f9985..8e33f2ae5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -37,7 +37,7 @@ Submits or Updates batch of [Indicator](ti-indicator.md) entities. ## Limitations 1. Rate limitations for this API are 30 calls per minute. 2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant. - +3. Maximum batch size for one API call is 500. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) From b54bd97a85d313c549533a537de4f5dcc35b61ea Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 14:57:21 +0200 Subject: [PATCH 101/116] 2 --- .../add-or-remove-machine-tags.md | 6 ++++-- .../collect-investigation-package.md | 4 +++- .../get-alert-related-domain-info.md | 4 +--- .../get-alert-related-files-info.md | 4 +--- .../get-alert-related-ip-info.md | 4 +--- .../get-alert-related-machine-info.md | 4 +--- .../get-alert-related-user-info.md | 4 +--- .../microsoft-defender-atp/get-domain-statistics.md | 4 +--- .../microsoft-defender-atp/get-file-information.md | 4 +--- .../microsoft-defender-atp/get-file-statistics.md | 4 +--- .../get-investigation-collection.md | 4 +--- .../microsoft-defender-atp/get-ip-statistics.md | 4 +--- .../microsoft-defender-atp/get-kbinfo-collection.md | 7 ++----- .../microsoft-defender-atp/get-machine-by-id.md | 4 +--- .../get-machine-log-on-users.md | 4 +--- .../get-machineaction-object.md | 6 ++---- .../get-machineactions-collection.md | 6 ++---- .../microsoft-defender-atp/get-machines.md | 4 +--- .../get-machinesecuritystates-collection.md | 7 ++----- .../microsoft-defender-atp/get-package-sas-uri.md | 8 ++------ .../get-ti-indicators-collection.md | 12 ++++-------- .../microsoft-defender-atp/get-user-information.md | 7 ++----- .../initiate-autoir-investigation.md | 8 +++++--- .../microsoft-defender-atp/isolate-machine.md | 10 ++++++---- .../microsoft-defender-atp/offboard-machine-api.md | 6 ++++-- .../restrict-code-execution.md | 9 +++++---- .../microsoft-defender-atp/run-advanced-query-api.md | 12 +++++++----- .../microsoft-defender-atp/run-av-scan.md | 6 ++++-- .../stop-and-quarantine-file.md | 6 ++++-- .../microsoft-defender-atp/unisolate-machine.md | 6 ++++-- .../unrestrict-code-execution.md | 6 ++++-- .../microsoft-defender-atp/update-alert.md | 5 +++-- 32 files changed, 82 insertions(+), 107 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index c9987f3a99..2a992e5e4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -90,9 +90,11 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -```http +``` POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags -Content-type: application/json +``` + +```json { "Value" : "test Tag 2", "Action": "Add" diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index ee50396e37..7c823acfd6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -83,7 +83,9 @@ Here is an example of the request. ``` POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage -Content-type: application/json +``` + +```json { "Comment": "Collect forensics due to alert 1234" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index 9347365103..aaa3ab921d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Domains", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 80dfa7de59..705b9284db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index b241dd2b72..02701c84db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index e4850f8d55..a5e59345c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -88,9 +88,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity", "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index ea89e7158c..a256a1f597 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "contoso\\user1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index 3720025ad9..dd3331b476 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookB Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", "host": "example.com", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 736c3298e2..019f1385c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity", "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index ac9da34d73..cf1898803a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md index 47662456ae..cca2597b98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md @@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/investigations Here is an example of the response: -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Investigations", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 5ba7c77cd7..bc04301ab1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBac Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", "ipAddress": "10.209.67.177", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index f108cdfbf6..0eeced010e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -61,18 +61,15 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/KbInfo -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo", "@odata.count": 271, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index ceac9cc0ed..0a6ff20f30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine", "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index f4730dce02..3e9b901fac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index 35d7343116..9520bd1379 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -77,7 +77,7 @@ If successful, this method returns 200, Ok response code with a [Machine Action] Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba ``` @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-42 Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity", "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index 11bd89fa3b..d910d3beda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -82,7 +82,7 @@ If successful, this method returns 200, Ok response code with a collection of [m Here is an example of the request on an organization that has three MachineActions. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions ``` @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index ad2331e5ab..42a179a64f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -92,9 +92,7 @@ GET https://api.securitycenter.microsoft.com/api/machines Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index 9565ba0014..9d1e0ef235 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -60,9 +60,8 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates -Content-type: application/json ``` **Response** @@ -70,9 +69,7 @@ Content-type: application/json Here is an example of the response. Field *id* contains device id and equal to the field *id** in devices info. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates", "@odata.count":444, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index ccd17fea22..2683556f81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -73,19 +73,15 @@ If successful, this method returns 200, Ok response code with object that holds Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri - ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json - +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String", "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md index 58cb3f78a5..5a5ea5a354 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md @@ -78,7 +78,7 @@ If successful, this method returns 200, Ok response code with a collection of [I Here is an example of a request that gets all Indicators -``` +```http GET https://api.securitycenter.microsoft.com/api/indicators ``` @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ @@ -141,7 +139,7 @@ Content-type: application/json Here is an example of a request that gets all Indicators with 'AlertAndBlock' action -``` +```http GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock' ``` @@ -149,9 +147,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'A Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md index 7a7e85e081..d4d47fa618 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md @@ -64,9 +64,8 @@ If successful and user exists - 200 OK with [user](user.md) entity in the body. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1 -Content-type: application/json ``` **Response** @@ -74,9 +73,7 @@ Content-type: application/json Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "user1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index dfb9ea34c6..caa8fb231b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Investigatio Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation -Content-type: application/json +``` + +```json { - "Comment": "Test investigation", + "Comment": "Test investigation" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 00d02c3bfe..67f0760774 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -90,13 +90,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -```console +``` POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate -Content-type: application/json +``` + +```json { "Comment": "Isolate machine due to alert 1234", - “IsolationType”: “Full” + "IsolationType": "Full" } ``` -- To unisolate a device, see [Release device from isolation](unisolate-machine.md). +- To release a device from isolation, see [Release device from isolation](unisolate-machine.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 8eef870362..df8552d5a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -87,9 +87,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard -Content-type: application/json +``` + +```json { "Comment": "Offboard machine by automation" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index fb99be0444..a78424ca79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -83,14 +83,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution -Content-type: application/json +``` + +```json { "Comment": "Restrict code execution due to alert 1234" } ``` -- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). - +- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 88fddcc27b..195101b45a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -35,10 +35,10 @@ ms.technology: mde 1. You can only run a query on data from the last 30 days. 2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: - - API calls: Up to 15 calls per minute - - Execution time: 10 minutes of running time every hour and 4 hours of running time a day + - API calls: Up to 45 calls per minute. + - Execution time: 10 minutes of running time every hour and 4 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. -5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed. +5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -82,9 +82,11 @@ Request Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/advancedqueries/run -Content-type: application/json +``` + +```json { "Query":"DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe' diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index dda698fd60..aac2826f29 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -91,9 +91,11 @@ If successful, this method returns 201, Created response code and _MachineAction Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan -Content-type: application/json +``` + +```json { "Comment": "Check machine for viruses due to alert 3212", “ScanType”: “Full” diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 26a77dc157..6ab096b9f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile -Content-type: application/json +``` + +```json { "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 2ddc0fa5f4..9d41281585 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate -Content-type: application/json +``` + +```json { "Comment": "Unisolate machine since it was clean and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index c8b9276441..41934f0380 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -82,9 +82,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution -Content-type: application/json +``` + +```json { "Comment": "Unrestrict code execution since machine was cleaned and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index 4f6423b15e..d2f3515f96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -91,10 +91,11 @@ If successful, this method returns 200 OK, and the [alert](alerts.md) entity in Here is an example of the request. -``` +```http PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442 -Content-Type: application/json +``` +```json { "status": "Resolved", "assignedTo": "secop2@contoso.com", From f803e252caab050a81ec70c30fd0ae8fb48684ef Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 15:46:51 +0200 Subject: [PATCH 102/116] 1 --- .../collect-investigation-package.md | 2 +- .../microsoft-defender-atp/create-alert-by-reference.md | 3 ++- .../microsoft-defender-atp/delete-ti-indicator-by-id.md | 2 +- .../microsoft-defender-atp/find-machines-by-ip.md | 2 +- .../microsoft-defender-atp/find-machines-by-tag.md | 2 +- .../get-alert-related-domain-info.md | 2 +- .../microsoft-defender-atp/get-alert-related-files-info.md | 2 +- .../microsoft-defender-atp/get-alert-related-ip-info.md | 2 +- .../get-alert-related-machine-info.md | 2 +- .../microsoft-defender-atp/get-alert-related-user-info.md | 2 +- .../threat-protection/microsoft-defender-atp/get-alerts.md | 4 ++-- .../microsoft-defender-atp/get-all-recommendations.md | 2 +- .../get-all-vulnerabilities-by-machines.md | 2 +- .../microsoft-defender-atp/get-all-vulnerabilities.md | 2 +- .../microsoft-defender-atp/get-cvekbmap-collection.md | 7 ++----- .../microsoft-defender-atp/get-device-secure-score.md | 2 +- .../get-discovered-vulnerabilities.md | 4 ++-- .../microsoft-defender-atp/get-domain-statistics.md | 2 +- .../microsoft-defender-atp/get-exposure-score.md | 2 +- .../microsoft-defender-atp/get-file-information.md | 2 +- .../microsoft-defender-atp/get-file-related-alerts.md | 2 +- .../microsoft-defender-atp/get-file-related-machines.md | 2 +- .../microsoft-defender-atp/get-file-statistics.md | 2 +- .../microsoft-defender-atp/get-installed-software.md | 2 +- .../microsoft-defender-atp/get-ip-related-alerts.md | 2 +- .../get-machine-group-exposure-score.md | 2 +- .../microsoft-defender-atp/get-machines-by-software.md | 3 +-- .../get-machines-by-vulnerability.md | 2 +- .../microsoft-defender-atp/get-missing-kbs-machine.md | 2 +- .../microsoft-defender-atp/get-missing-kbs-software.md | 2 +- .../microsoft-defender-atp/get-recommendation-by-id.md | 2 +- .../microsoft-defender-atp/get-recommendation-machines.md | 2 +- .../microsoft-defender-atp/get-recommendation-software.md | 2 +- .../get-recommendation-vulnerabilities.md | 2 +- .../microsoft-defender-atp/get-security-recommendations.md | 4 ++-- .../microsoft-defender-atp/get-software-by-id.md | 3 +-- .../get-software-ver-distribution.md | 3 +-- .../microsoft-defender-atp/get-software.md | 2 +- .../microsoft-defender-atp/get-user-related-alerts.md | 2 +- .../microsoft-defender-atp/get-user-related-machines.md | 2 +- .../microsoft-defender-atp/get-vuln-by-software.md | 3 +-- .../microsoft-defender-atp/get-vulnerability-by-id.md | 2 +- .../microsoft-defender-atp/import-ti-indicators.md | 3 ++- .../microsoft-defender-atp/isolate-machine.md | 2 +- .../microsoft-defender-atp/post-ti-indicator.md | 3 ++- .../microsoft-defender-atp/run-av-scan.md | 2 +- .../microsoft-defender-atp/update-alert.md | 2 +- 47 files changed, 54 insertions(+), 58 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index 7c823acfd6..dea6142742 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -81,7 +81,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index ac6a1ed6be..91a38d3f42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -96,9 +96,10 @@ If successful, this method returns 200 OK, and a new [alert](alerts.md) object i Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference ``` + ```json { "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md index c4921c50f4..127f52cd7a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md @@ -73,6 +73,6 @@ If Indicator with the specified id was not found - 404 Not Found. Here is an example of the request. -``` +```http DELETE https://api.securitycenter.microsoft.com/api/indicators/995 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index 5a461d731b..d9ebb6559c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -80,6 +80,6 @@ If the timestamp is not in the past 30 days - 400 Bad Request. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z) ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md index e34e5962d8..5bb4e7756f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -84,6 +84,6 @@ If successful - 200 OK with list of the machines in the response body. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true ``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index aaa3ab921d..c84308bef0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -77,7 +77,7 @@ If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 705b9284db..015b98dba0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -77,7 +77,7 @@ If successful and alert and files exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index 02701c84db..602a1fd1c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -78,7 +78,7 @@ If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index a5e59345c3..60d47669c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -79,7 +79,7 @@ If successful and alert and device exist - 200 OK. If alert not found or device Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index a256a1f597..2afbe73739 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -78,7 +78,7 @@ If successful and alert and a user exists - 200 OK with user in the body. If ale Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/user ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 918af17cc7..eb0067b2ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -88,7 +88,7 @@ If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts ``` @@ -152,7 +152,7 @@ Here is an example of the response. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md index 9be5af6b31..6548493ea9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of security recommendati Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md index 73cc542fda..0126da149d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md @@ -72,7 +72,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md index 17f9e97ef1..00ade14700 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Vulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md index 41df827074..3264cc7d76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md @@ -61,18 +61,15 @@ If successful and map exists - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/CveKbMap -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap", "@odata.count": 4168, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md index b18413a57e..2edded89ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the device secure score data in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/configurationScore ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md index 258209f10d..760ce4ddb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -71,7 +71,7 @@ If successful, this method returns 200 OK with the discovered vulnerability info Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities ``` @@ -79,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4 Here is an example of the response. -``` +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index dd3331b476..13a3f3f28f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -81,7 +81,7 @@ If successful and domain exists - 200 OK, with statistics object in the response Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md index c06627a36f..0288816bb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with the exposure data in the respons Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/exposureScore ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 019f1385c7..37b4c39da7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -76,7 +76,7 @@ If successful and file exists - 200 OK with the [file](files.md) entity in the b Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index dd23bde922..1ef694df96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [alert](alerts.md) entities Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index 981b5352e4..c0de4442c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index cf1898803a..ab8b12267d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -81,7 +81,7 @@ If successful and file exists - 200 OK with statistical data in the body. If fil Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md index 1d74c52f25..9effa5d7a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md @@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the installed software informatio Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index ec0bd5533a..d4f66c71d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -79,6 +79,6 @@ If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md index f7ea61feb1..6f54986e33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with a list of exposure score per dev Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md index cbcb0e0b06..b2f9da0734 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK and a list of devices with the softwar Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machi Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md index 35a821c812..bf4208cd36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index abb4bd89f5..d3c13ddae1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -62,7 +62,7 @@ If successful, this method returns 200 OK, with the specified device missing kb Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md index 4c037b678e..3b53dabe02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md @@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the specified software missing k Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md index d752962405..5548416186 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index 7d46d6e6fe..fa448849b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of devices associated wi Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md index 4f144b37e3..0fcdc3e55a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the software associated with the Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md index 6c606f3bfc..e4a52ff2a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK, with the list of vulnerabilities asso Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index f08ce4f926..2581a14cb0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations ``` @@ -79,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4 Here is an example of the response. -``` +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index da3f09fb2d..58ff771315 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the specified software data in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity", "id": "microsoft-_-edge", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md index c707f59ef2..897e0c91a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a list of software distributions Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distr Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md index 95e59d134f..b070207ed0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the software inventory in the bod Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 7705c00e4b..341e56d35d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -81,6 +81,6 @@ If successful and user exists - 200 OK. If the user does not exist - 404 Not Fou Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 7cab2321b4..b91c080c8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -82,6 +82,6 @@ If successful and user exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md index c60ff31fdb..762572746a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a a list of vulnerabilities expos Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulne Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md index e8cc9c8257..441ac6bf08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-0608 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md index 8e33f2ae5c..ae63ad7d4b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -79,9 +79,10 @@ Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indica Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/indicators/import ``` + ```json { "Indicators": diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 67f0760774..15f0c9b691 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -90,7 +90,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index c5bedda425..f019e3a9d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -89,9 +89,10 @@ rbacGroupNames | String | Comma-separated list of RBAC group names the indicator Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/indicators ``` + ```json { "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index aac2826f29..68a10a5e99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -98,7 +98,7 @@ POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 ```json { "Comment": "Check machine for viruses due to alert 3212", - “ScanType”: “Full” + "ScanType": "Full" } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index d2f3515f96..a19d0d51e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -103,4 +103,4 @@ PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_213 "determination": "Malware", "comment": "Resolve my alert and assign to secop2" } -``` +``` \ No newline at end of file From c8dde0220a6429f0e4fa375709c1b642f5ec4a98 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 16:17:49 +0200 Subject: [PATCH 103/116] 5 --- .../threat-protection/microsoft-defender-atp/investigation.md | 2 +- .../threat-protection/microsoft-defender-atp/machine.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md index 6afbbec900..64b309d544 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md @@ -40,7 +40,7 @@ Represent an Automated Investigation entity in Defender for Endpoint. Method|Return Type |Description :---|:---|:--- [List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation -[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity. +[Get single Investigation](get-investigation-object.md) | Investigation entity | Gets single Investigation entity. [Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index c0cfd906a5..896f5ca654 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -62,7 +62,7 @@ version | String | Operating system Version. osBuild | Nullable long | Operating system build number. lastIpAddress | String | Last IP on local NIC on the [machine](machine.md). lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet. -healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" +healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown". rbacGroupName | String | Machine group Name. rbacGroupId | Int | Machine group unique ID. riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'. From 5823e24e7ac6d543273fdbf8963a454ad921f8d6 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 24 Jan 2021 16:50:27 +0200 Subject: [PATCH 104/116] 3 --- .../microsoft-defender-atp/run-advanced-query-api.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 195101b45a..1f52029bfe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -36,7 +36,7 @@ ms.technology: mde 2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: - API calls: Up to 45 calls per minute. - - Execution time: 10 minutes of running time every hour and 4 hours of running time a day. + - Execution time: 10 minutes of running time every hour and 3 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. 5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. From 28dedc57f594e67d556975d66849129bc3307241 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 12:35:49 -0800 Subject: [PATCH 105/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 195c784c4e..85158c1cb2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 01/22/2021 +ms.date: 01/25/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -38,12 +38,14 @@ In endpoint protection, a false positive is an entity, such as a file or a proce 3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) 4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) 5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) +6. [Getting help if you still have issues with false positives/negatives](#still-need-help) -This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment. +> [!IMPORTANT] +> This article is intended for security operators and administrators. ## Part 1: Review and classify alerts -If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. +If you see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. From 4562ca67bd6db40e1773e49f74f9839efde54300 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 12:39:33 -0800 Subject: [PATCH 106/116] Update defender-endpoint-false-positives-negatives.md --- ...defender-endpoint-false-positives-negatives.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 85158c1cb2..8e5c202978 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -136,7 +136,8 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi - [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) - [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) -Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. +> [!NOTE] +> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. The procedures in this section describe how to define exclusions and indicators. @@ -169,20 +170,20 @@ In general, you should not need to define exclusions for Microsoft Defender Anti ### Indicators for Microsoft Defender for Endpoint -[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. -To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: +To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: +You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: -| Indicator | Prerequisites | +| Indicator type and considerations | Prerequisites | |:----|:----| -|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action

Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs

IP is supported for all three protocols

Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] From 5928b1b0cfbd5d7b5630ea698680f7f63aeaa643 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 12:42:43 -0800 Subject: [PATCH 107/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 8e5c202978..084f8103db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -183,15 +183,15 @@ You can create indicators for files, IP addresses, URLs, domains, and certificat | Indicator type and considerations | Prerequisites | |:----|:----| |**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported.

A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.

Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). ## Part 4: Submit a file for analysis -You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions. +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. When you sign in at the submission site, you can track your submissions. ### Submit a file for analysis @@ -202,7 +202,7 @@ If you have a file that was either wrongly detected as malicious or was missed, ### Submit a fileless detection for analysis -If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. +If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. 1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. 2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. @@ -294,6 +294,10 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett 8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. 9. On the **Review + create** tab, review your settings, and, and then choose **Create**. +### Automated investigation and remediation + + + ## Still need help? If you still need help after working through all the steps in this article, your best bet is to contact technical support. From 2309a9407d18e11647f246145b695b5374280108 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:14:30 -0800 Subject: [PATCH 108/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 084f8103db..f8d93d2f54 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -296,7 +296,39 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett ### Automated investigation and remediation +[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions).) + +All remediation actions, whether pending or completed, can be viewed in the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). If necessary, your security operations team can undo a remediation action. And, you can set or change your level of automation. + +### Review actions that were taken + +1. Go to the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab. +3. Select an item to view more details about that remediation action. + +### Undo remediation actions + +If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. You can undo actions, such as isolating a device, restricting code execution, quarantining a file, removing a registry key, stopping a service, and more. + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab. +3. Select the actions that you want to undo. +4. In the pane on the right side of the screen, select **Undo**. + +> [!TIP] +> To learn more about remediation actions, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions). + +### Review and if needed, edit your automation level + +AIR capabilities in Defender for Endpoint are configured to one of several [levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels). + +- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. +- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. +- *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation. + +To review your AIR configuration and learn more about automation levels, see [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) and the [Levels of automation table](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation). ## Still need help? From 27efc5c2bc073c2823d0882dc57c7c9f1f0b8cf6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:16:18 -0800 Subject: [PATCH 109/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index f8d93d2f54..24e9fbf78e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -328,11 +328,13 @@ AIR capabilities in Defender for Endpoint are configured to one of several [leve - *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. - *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation. -To review your AIR configuration and learn more about automation levels, see [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) and the [Levels of automation table](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation). +To review your AIR configuration and learn more about automation levels, see: +- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) +- [Levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation) ## Still need help? -If you still need help after working through all the steps in this article, your best bet is to contact technical support. +If you have worked through all the steps in this article and still need help, your best bet is to contact technical support. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. From 708066fb3779d7e195bc664c7dd7ee24cab311e9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:21:09 -0800 Subject: [PATCH 110/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 24e9fbf78e..695656e24e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -231,6 +231,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the - [Cloud-delivered protection](#cloud-delivered-protection) - [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications) +- [Automated investigation and remediation](#automated-investigation-and-remediation) ### Cloud-delivered protection From dd563409f25933ff6510d5d4c2a062857ced65e4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:29:24 -0800 Subject: [PATCH 111/116] Update defender-endpoint-false-positives-negatives.md --- ...nder-endpoint-false-positives-negatives.md | 34 ++----------------- 1 file changed, 3 insertions(+), 31 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 695656e24e..d201884712 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -299,39 +299,11 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett [Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions).) +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. -All remediation actions, whether pending or completed, can be viewed in the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). If necessary, your security operations team can undo a remediation action. And, you can set or change your level of automation. - -### Review actions that were taken - -1. Go to the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. Select the **History** tab. -3. Select an item to view more details about that remediation action. - -### Undo remediation actions - -If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. You can undo actions, such as isolating a device, restricting code execution, quarantining a file, removing a registry key, stopping a service, and more. - -1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. -2. Select the **History** tab. -3. Select the actions that you want to undo. -4. In the pane on the right side of the screen, select **Undo**. - -> [!TIP] -> To learn more about remediation actions, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions). - -### Review and if needed, edit your automation level - -AIR capabilities in Defender for Endpoint are configured to one of several [levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels). - -- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. -- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. -- *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation. - -To review your AIR configuration and learn more about automation levels, see: +- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) -- [Levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation) + ## Still need help? From 995a3ed9aa6c99a38ad8714908adb25b3b8e16c0 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 25 Jan 2021 13:38:04 -0800 Subject: [PATCH 112/116] Update initiate-autoir-investigation.md --- .../microsoft-defender-atp/initiate-autoir-investigation.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index caa8fb231b..5617ebcae7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -92,3 +92,4 @@ POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2 { "Comment": "Test investigation" } +``` From 3abff941ef1a32cac37e1abe0cf9fee91dc35f7f Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 25 Jan 2021 13:39:46 -0800 Subject: [PATCH 113/116] Update get-software-by-id.md --- .../microsoft-defender-atp/get-software-by-id.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index 58ff771315..43ed0055bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -1,6 +1,6 @@ --- title: Get software by Id -description: Retrieves a list of exposure scores by device group. +description: Retrieves a list of sofware by ID. keywords: apis, graph api, supported apis, get, software, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: m365-security From 68d2209f6732092de9cfbad01bf0e1686feb07f3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 13:55:09 -0800 Subject: [PATCH 114/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index d201884712..9707bf3e13 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -101,6 +101,9 @@ If you have alerts that are either false positives or that are true positives bu Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone. +> [!TIP] +> See [Review remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation). + ### Review completed actions 1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. @@ -301,8 +304,8 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. -- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) -- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) +- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then +- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). ## Still need help? From 2c2052341de9a76ccc675be197d8f9e4b88a4cec Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 14:01:18 -0800 Subject: [PATCH 115/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 9707bf3e13..573ce0cf3f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -302,7 +302,7 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett [Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team. - [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then - [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). From 2e2653dbb8763aa1004865b394c8bbae887b2adf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 25 Jan 2021 15:13:56 -0800 Subject: [PATCH 116/116] Update defender-endpoint-false-positives-negatives.md --- .../defender-endpoint-false-positives-negatives.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md index 573ce0cf3f..9e49265a2f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -205,7 +205,7 @@ If you have a file that was either wrongly detected as malicious or was missed, ### Submit a fileless detection for analysis -If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool. +If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10. 1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. 2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**.