mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 04:43:37 +00:00
Merged PR 13310: update
This commit is contained in:
Joey Caparas
@ -22,7 +22,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a
|
||||
### 1. Develop a password replacement offering
|
||||
Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory.
|
||||
|
||||
Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to useWindows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
|
||||
Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
|
||||
|
||||
### 2. Reduce user-visible password surface area
|
||||
With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 142 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 89 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 130 KiB |
@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: aadake
|
||||
ms.date: 10/03/2018
|
||||
ms.date: 12/08/2018
|
||||
---
|
||||
|
||||
# Kernel DMA Protection for Thunderbolt™ 3
|
||||
@ -65,11 +65,17 @@ Systems released prior to Windows 10 version 1803 do not support Kernel DMA Prot
|
||||
|
||||
Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
|
||||
|
||||
**To check if a device supports Kernel DMA Protection**
|
||||
### Using Security Center
|
||||
|
||||
Beginning with Wndows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
|
||||
|
||||
|
||||
|
||||
### Using System information
|
||||
|
||||
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
|
||||
2. Check the value of **Kernel DMA Protection**.
|
||||
|
||||
|
||||
3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO:
|
||||
- Reboot into BIOS settings
|
||||
- Turn on Intel Virtualization Technology.
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 58 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 64 KiB |
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool
|
||||
@ -37,16 +37,20 @@ MpCmdRun.exe [command] [-options]
|
||||
|
||||
Command | Description
|
||||
:---|:---
|
||||
\- ? **or** -h | Displays all available options for the tool
|
||||
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
|
||||
\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
|
||||
\-GetFiles | Collects support information
|
||||
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
|
||||
\-AddDynamicSignature [-Path] | Loads a dynamic signature
|
||||
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
|
||||
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
|
||||
\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
|
||||
\-SignatureUpdate [-UNC [-Path <path>]] | Checks for new definition updates
|
||||
\-? **or** -h | Displays all available options for this tool
|
||||
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]] [-Timeout <days>] [-Cancel] | Scans for malicious software
|
||||
\-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing
|
||||
\-GetFiles | Collects support information
|
||||
\-GetFilesDiagTrack | Same as Getfiles but outputs to temporary DiagTrack folder
|
||||
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
|
||||
\-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically downloaded signatures
|
||||
\-SignatureUpdate [-UNC \| -MMPC] | Checks for new definition updates
|
||||
\-Restore [-ListAll \| [[-Name <name>] [-All] \| [-FilePath <filePath>]] [-Path <path>]] | Restores or lists quarantined item(s)
|
||||
\-AddDynamicSignature [-Path] | Loads a dynamic signature
|
||||
\-ListAllDynamicSignatures | Lists the loaded dynamic signatures
|
||||
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
|
||||
\-CheckExclusion -path <path> | Checks whether a path is excluded
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Configure and validate exclusions based on file extension and folder location
|
||||
@ -264,7 +264,7 @@ The following table describes how the wildcards can be used and provides some ex
|
||||
|
||||
## Review the list of exclusions
|
||||
|
||||
You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
|
||||
You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
|
||||
|
||||
>[!IMPORTANT]
|
||||
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
|
||||
@ -276,7 +276,18 @@ If you use PowerShell, you can retrieve the list in two ways:
|
||||
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
|
||||
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
|
||||
|
||||
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:**
|
||||
**Validate the exclusion list by using MpCmdRun:**
|
||||
|
||||
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
|
||||
|
||||
```DOS
|
||||
MpCmdRun.exe -CheckExclusion -path <path>
|
||||
```
|
||||
|
||||
>[!NOTE]
|
||||
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
|
||||
|
||||
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
|
||||
|
||||
Use the following cmdlet:
|
||||
|
||||
@ -290,7 +301,7 @@ In the following example, the items contained in the `ExclusionExtension` list a
|
||||
|
||||
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
|
||||
|
||||
**Retrieve a specific exclusions list:**
|
||||
**Retrieve a specific exclusions list by using PowerShell:**
|
||||
|
||||
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Configure exclusions for files opened by processes
|
||||
@ -147,14 +147,26 @@ Environment variables | The defined variable will be populated as a path when th
|
||||
|
||||
## Review the list of exclusions
|
||||
|
||||
You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
|
||||
You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
|
||||
|
||||
If you use PowerShell, you can retrieve the list in two ways:
|
||||
|
||||
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
|
||||
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
|
||||
|
||||
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:**
|
||||
**Validate the exclusion list by using MpCmdRun:**
|
||||
|
||||
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
|
||||
|
||||
```DOS
|
||||
MpCmdRun.exe -CheckExclusion -path <path>
|
||||
```
|
||||
|
||||
>[!NOTE]
|
||||
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
|
||||
|
||||
|
||||
**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**
|
||||
|
||||
Use the following cmdlet:
|
||||
|
||||
@ -164,7 +176,7 @@ Get-MpPreference
|
||||
|
||||
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
|
||||
|
||||
**Retrieve a specific exclusions list:**
|
||||
**Retrieve a specific exclusions list by using PowerShell:**
|
||||
|
||||
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: andreabichsel
|
||||
ms.author: v-anbic
|
||||
ms.date: 09/03/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Configure scheduled quick or full Windows Defender Antivirus scans
|
||||
@ -42,7 +42,6 @@ To configure the Group Policy settings described in this topic:
|
||||
|
||||
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
|
||||
|
||||
|
||||
Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
|
||||
|
||||
## Quick scan versus full scan and custom scan
|
||||
@ -66,6 +65,8 @@ A custom scan allows you to specify the files and folders to scan, such as a USB
|
||||
|
||||
Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
|
||||
|
||||
>[!NOTE]
|
||||
>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time.
|
||||
|
||||
**Use Group Policy to schedule scans:**
|
||||
|
||||
|
||||
@ -22,6 +22,7 @@
|
||||
### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
|
||||
### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
|
||||
### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
|
||||
### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md)
|
||||
### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
|
||||
#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
|
||||
#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
|
||||
|
||||
@ -0,0 +1,39 @@
|
||||
---
|
||||
title: Querying Application Control events centrally using Advanced hunting (Windows 10)
|
||||
description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: mdsakibMSFT
|
||||
ms.author: justinha
|
||||
ms.date: 12/06/2018
|
||||
---
|
||||
|
||||
# Querying Application Control events centrally using Advanced hunting
|
||||
|
||||
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode.
|
||||
While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems.
|
||||
|
||||
In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP.
|
||||
|
||||
Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”.
|
||||
This capability is supported beginning with Windows version 1607.
|
||||
|
||||
Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP:
|
||||
|
||||
```
|
||||
MiscEvents
|
||||
| where EventTime > ago(7d) and
|
||||
ActionType startswith "AppControl"
|
||||
| summarize Machines=dcount(ComputerName) by ActionType
|
||||
| order by Machines desc
|
||||
```
|
||||
|
||||
The query results can be used for several important functions related to managing WDAC including:
|
||||
|
||||
- Assessing the impact of deploying policies in audit mode
|
||||
Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
|
||||
- Monitoring blocks from policies in enforced mode
|
||||
Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation.
|
||||
@ -59,7 +59,7 @@ To see a live example of these operators, run them as part of the **Get started*
|
||||
|
||||
## Access query language documentation
|
||||
|
||||
For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/).
|
||||
For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language).
|
||||
|
||||
## Use exposed tables in Advanced hunting
|
||||
|
||||
|
||||
@ -50,7 +50,6 @@ detectionSource | string | Detection source.
|
||||
threatFamilyName | string | Threat family.
|
||||
title | string | Alert title.
|
||||
description | String | Description of the threat, identified by the alert.
|
||||
recommendedAction | String | Action recommended for handling the suspected threat.
|
||||
alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
|
||||
lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
|
||||
firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
|
||||
@ -74,7 +73,6 @@ machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -26,7 +26,8 @@ ms.date: 11/20/2018
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
|
||||
You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response.
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 12/05/2018
|
||||
ms.date: 12/06/2018
|
||||
---
|
||||
|
||||
# Onboard Windows 10 machines using Mobile Device Management tools
|
||||
@ -34,9 +34,10 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D
|
||||
|
||||
## Onboard machines using Microsoft Intune
|
||||
|
||||
Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
|
||||
|
||||
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
|
||||
|
||||
Follow the instructions provided in the [Microsoft Intune documentation](https://docs.microsoft.com/intune/advanced-threat-protection).
|
||||
|
||||
> [!NOTE]
|
||||
> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
|
||||
|
||||
@ -84,8 +84,8 @@ Content-Length: application/json
|
||||
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
|
||||
"severity": "Low",
|
||||
"title": "test alert",
|
||||
"description": "redalert",
|
||||
"recommendedAction": "white alert",
|
||||
"description": "test alert",
|
||||
"recommendedAction": "test alert",
|
||||
"eventTime": "2018-08-03T16:45:21.7115183Z",
|
||||
"reportId": "20776",
|
||||
"category": "None"
|
||||
|
||||
@ -11,7 +11,7 @@ ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 10/08/2018
|
||||
ms.date: 12/10/2018
|
||||
---
|
||||
|
||||
# Enable SIEM integration in Windows Defender ATP
|
||||
@ -20,20 +20,29 @@ ms.date: 10/08/2018
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
|
||||
|
||||
## Prerequisites
|
||||
- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
|
||||
- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.
|
||||
|
||||
## Enabling SIEM integration
|
||||
1. In the navigation pane, select **Settings** > **SIEM**.
|
||||
|
||||
|
||||
|
||||
|
||||
>[!TIP]
|
||||
>If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
|
||||
|
||||
2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
|
||||
|
||||
> [!WARNING]
|
||||
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
|
||||
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
|
||||
> [!WARNING]
|
||||
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
|
||||
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
|
||||
|
||||
|
||||
|
||||
3. Choose the SIEM type you use in your organization.
|
||||
|
||||
|
||||
@ -100,8 +100,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -87,8 +87,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -100,8 +100,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
@ -121,8 +120,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -96,8 +96,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
@ -117,8 +116,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-24T16:18:01.809871Z",
|
||||
|
||||
@ -94,8 +94,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -93,8 +93,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -93,8 +93,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
|
||||
@ -20,7 +20,8 @@ ms.date: 11/20/2018
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP.
|
||||
|
||||
|
||||
@ -93,8 +93,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-25T16:18:01.809871Z",
|
||||
@ -114,8 +113,7 @@ Content-type: application/json
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-24T16:18:01.809871Z",
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 68 KiB |
@ -31,12 +31,12 @@ Windows Defender ATP applies two methods to discover and protect data:
|
||||
|
||||
|
||||
## Data discovery
|
||||
Windows Defender ATP automatically discovers files with Office 365 sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection).
|
||||
Windows Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection).
|
||||
|
||||
|
||||
|
||||
|
||||
After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a file that has a sensitivity label applied is created or modified on a Windows device, Windows Defender ATP automatically reports the signal to Azure Information Protection.
|
||||
After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically reports the signal to Azure Information Protection.
|
||||
|
||||
The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard.
|
||||
|
||||
@ -70,7 +70,7 @@ InformationProtectionLogs_CL
|
||||
```
|
||||
|
||||
**Prerequisites:**
|
||||
- Customers must have a subscription for Azure Information Protection, and be using a unified labeling client.
|
||||
- Customers must have a subscription for Azure Information Protection.
|
||||
- Enable Azure Information Protection integration in Windows Defender Security Center:
|
||||
- Go to **Settings** in Windows Defender Security Center, click on **Advanced Settings** under **General**.
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ id | Guid | Identity of the [Machine Action](machineaction-windows-defender-adva
|
||||
type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"
|
||||
requestor | String | Identity of the person that executed the action.
|
||||
requestorComment | String | Comment that was written when issuing the action.
|
||||
status | Enum | Current status of the command. Possible values are: "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
|
||||
status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled".
|
||||
machineId | String | Id of the machine on which the action was executed.
|
||||
creationDateTimeUtc | DateTimeOffset | The date and time when the action was created.
|
||||
lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated.
|
||||
|
||||
@ -25,7 +25,8 @@ There are some minimum requirements for onboarding machines to the service.
|
||||
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
## Licensing requirements
|
||||
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
|
||||
|
||||
@ -22,7 +22,8 @@ ms.date: 11/20/2018
|
||||
Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform.
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
## In this section
|
||||
|
||||
|
||||
@ -73,7 +73,7 @@ The response will include an access token and expiry information.
|
||||
```json
|
||||
{
|
||||
"token_type": "Bearer",
|
||||
"expires_in": "3599"
|
||||
"expires_in": "3599",
|
||||
"ext_expires_in": "0",
|
||||
"expires_on": "1488720683",
|
||||
"not_before": "1488720683",
|
||||
|
||||
@ -236,7 +236,7 @@ For a machine to be considered "well configured", it must comply to a minimum ba
|
||||
>This security control is only applicable for machines with Windows 10, version 1803 or later.
|
||||
|
||||
#### Minimum baseline configuration setting for BitLocker
|
||||
- Ensure all supported internal drives are encrypted
|
||||
- Ensure all supported drives are encrypted
|
||||
- Ensure that all suspended protection on drives resume protection
|
||||
- Ensure that drives are compatible
|
||||
|
||||
|
||||
@ -98,8 +98,7 @@ Here is an example of the response.
|
||||
"detectionSource": "WindowsDefenderAv",
|
||||
"threatFamilyName": "Mikatz",
|
||||
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
|
||||
"description": "Some description"
|
||||
"recommendedAction": "Some recommended action"
|
||||
"description": "Some description",
|
||||
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
|
||||
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
|
||||
"lastEventTime": "2018-11-26T16:18:01.809871Z",
|
||||
|
||||
@ -68,7 +68,8 @@ Windows Defender ATP uses the following combination of technology built into Win
|
||||
|
||||
|
||||
>[!TIP]
|
||||
> Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
|
||||
>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
|
||||
|
||||
**[Attack surface reduction](overview-attack-surface-reduction.md)**<br>
|
||||
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
|
||||
|
||||
@ -33,13 +33,13 @@ You can also get detailed reporting into events and blocks as part of Windows Se
|
||||
|
||||
You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings.
|
||||
|
||||
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
|
||||
The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page.
|
||||
|
||||
You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
|
||||
|
||||
### Import an existing XML custom view
|
||||
|
||||
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views:
|
||||
1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
|
||||
- Controlled folder access events custom view: *cfa-events.xml*
|
||||
- Exploit protection events custom view: *ep-events.xml*
|
||||
- Attack surface reduction events custom view: *asr-events.xml*
|
||||
|
||||
Reference in New Issue
Block a user