From a25ade57d6338eada08b865841c9e7fac3928edb Mon Sep 17 00:00:00 2001
From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com>
Date: Thu, 10 Dec 2020 01:21:18 +0100
Subject: [PATCH 01/10] Update respond-file-alerts.md
Changes proposed:
- Whitespace standardization and normalization
- MarkDown table extended to simplify future editing
- Use MD H4 instead of **bold** style paragraph headings
Whitespace changes:
- remove redundant end-of-line whitespace
- whitespace indents: use 3 instead of 4 blank spaces
- add MD indent marker (`> `) compatibility spacing
Ref. my own comment in PR #8726
---
.../respond-file-alerts.md | 92 +++++++++----------
1 file changed, 46 insertions(+), 46 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 354a099a61..bccc623abc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -13,7 +13,7 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
---
@@ -25,10 +25,10 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
+
[!include[Prerelease information](../../includes/prerelease.md)]
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink)
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center.
@@ -46,12 +46,12 @@ You can also submit files for deep analysis, to run the file in a secure cloud s
Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files:
-Permission | PE files | Non-PE files
-:---|:---|:---
-View data | X | X
-Alerts investigation | ☑ | X
-Live response basic | X | X
-Live response advanced | ☑ |☑
+| Permission | PE files | Non-PE files |
+| :--------------------- | :------: | :----------: |
+| View data | X | X |
+| Alerts investigation | ☑ | X |
+| Live response basic | X | X |
+| Live response advanced | ☑ | ☑ |
For more information on roles, see [Create and manage roles for role-based access control](user-roles.md).
@@ -60,8 +60,8 @@ For more information on roles, see [Create and manage roles for role-based acces
You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed.
->[!IMPORTANT]
->You can only take this action if:
+> [!IMPORTANT]
+> You can only take this action if:
>
> - The device you're taking the action on is running Windows 10, version 1703 or later
> - The file does not belong to trusted third-party publishers or not signed by Microsoft
@@ -71,35 +71,35 @@ The **Stop and Quarantine File** action includes stopping running processes, qua
This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
->[!NOTE]
->You’ll be able to restore the file from quarantine at any time.
+> [!NOTE]
+> You’ll be able to restore the file from quarantine at any time.
### Stop and quarantine files
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
- - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- - **Search box** - select **File** from the drop–down menu and enter the file name
+ - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
+ - **Search box** - select **File** from the drop–down menu and enter the file name
- >[!NOTE]
- >The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
+ > [!NOTE]
+ > The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
2. Go to the top bar and select **Stop and Quarantine File**.
- 
+ 
3. Specify a reason, then click **Confirm**.
- 
+ 
- The Action center shows the submission information:
- 
+ The Action center shows the submission information:
+ 
- - **Submission time** - Shows when the action was submitted.
- - **Success** - Shows the number of devices where the file has been stopped and quarantined.
- - **Failed** - Shows the number of devices where the action failed and details about the failure.
- - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network.
+ - **Submission time** - Shows when the action was submitted.
+ - **Success** - Shows the number of devices where the file has been stopped and quarantined.
+ - **Failed** - Shows the number of devices where the action failed and details about the failure.
+ - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
@@ -118,9 +118,9 @@ You can roll back and remove a file from quarantine if you’ve determined that
1. Open an elevated command–line prompt on the device:
- a. Go to **Start** and type _cmd_.
+ a. Go to **Start** and type _cmd_.
- b. Right–click **Command prompt** and select **Run as administrator**.
+ b. Right–click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
@@ -130,26 +130,26 @@ You can roll back and remove a file from quarantine if you’ve determined that
> [!NOTE]
> In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
->
+>
> Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
> [!Important]
-> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
+> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
## Add indicator to block or allow a file
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
->[!IMPORTANT]
+> [!IMPORTANT]
>
->- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–delivered protection is enabled. For more information, see [Manage cloud–delivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
+> - This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–delivered protection is enabled. For more information, see [Manage cloud–delivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
>
->- The Antimalware client version must be 4.18.1901.x or later.
->- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
->- This response action is available for devices on Windows 10, version 1703 or later.
->- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
+> - The Antimalware client version must be 4.18.1901.x or later.
+> - This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
+> - This response action is available for devices on Windows 10, version 1703 or later.
+> - The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
->[!NOTE]
+> [!NOTE]
> The PE file needs to be in the device timeline for you to be able to take this action.
>
> There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
@@ -157,14 +157,14 @@ You can prevent further propagation of an attack in your organization by banning
### Enable the block file feature
To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
-
+
### Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
- See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
+See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator.
@@ -215,10 +215,10 @@ The Deep analysis summary includes a list of observed *behaviors*, some of which
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
-Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.
+Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0]
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0]
**Submit for deep analysis** is enabled when the file is available in the Defender for Endpoint backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis.
@@ -232,7 +232,7 @@ You can also manually submit a sample through the [Microsoft Security Center Por
When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
-**Submit files for deep analysis:**
+#### Submit files for deep analysis:
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
@@ -242,17 +242,17 @@ When the sample is collected, Defender for Endpoint runs the file in is a secure
2. In the **Deep analysis** tab of the file view, click **Submit**.
- 
+ 
- > [!NOTE]
- > Only PE files are supported, including _.exe_ and _.dll_ files.
+ > [!NOTE]
+ > Only PE files are supported, including _.exe_ and _.dll_ files.
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
> [!NOTE]
> Depending on device availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can re–submit files for deep analysis to get fresh data on the file.
-**View deep analysis reports**
+#### View deep analysis reports
View the deep analysis report that Defender for Endpoint provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
@@ -268,7 +268,7 @@ The details provided can help you investigate if there are indications of a pote
-**Troubleshoot deep analysis**
+#### Troubleshoot deep analysis
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
From 80871aac40a1f430974a6c33eae3ed5a8b310281 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 10 Dec 2020 09:58:06 -0800
Subject: [PATCH 02/10] Update respond-file-alerts.md
---
.../microsoft-defender-atp/respond-file-alerts.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index bccc623abc..766691ac1e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -232,7 +232,7 @@ You can also manually submit a sample through the [Microsoft Security Center Por
When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
-#### Submit files for deep analysis:
+#### Submit files for deep analysis
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
From 8c6f6eb20929200bcc2c06bae033bd8374e5044a Mon Sep 17 00:00:00 2001
From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com>
Date: Tue, 15 Dec 2020 14:00:38 +0100
Subject: [PATCH 03/10] Important -> IMPORTANT (consistency)
- Add uppercase for the Important blob.
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../microsoft-defender-atp/respond-file-alerts.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
index 766691ac1e..ef8a82a89f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
@@ -133,7 +133,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
>
> Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
-> [!Important]
+> [!IMPORTANT]
> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
## Add indicator to block or allow a file
From 564127205d603c4af019ebc946d790181464d6b7 Mon Sep 17 00:00:00 2001
From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com>
Date: Thu, 24 Dec 2020 15:02:20 +0100
Subject: [PATCH 04/10] Update basic-permissions.md
From issue ticket #8864 (**typo**):
> For more information, see Assign administrator and non-administrator roles to uses with Azure Active Directory.
> (near the bottom of the page)
>
> uses should read users
Thanks to andrePKI for pointing out the typo.
This seemingly simple typo correction escalated somewhat into a format improvement and link update to replace outdated MSDN and TechNet links with current MS Docs links. You want to verify if the new links are the proper ones for this source page, or request the links either to be reverted back to the old ones, in case there is specific information in the old documents not present in the new documents, or suggest more correct links to replace the old ones.
Proposed changes:
- typo correction, "uses" -> users
- typo correction: remove 2 commas from "see, Add, or remove group memberships"
- Connect-MsolService: replace the old MSDN URL with a new one pointing to its current PowerShell docs page
- old URL: https://msdn.microsoft.com/library/dn194123.aspx
- new URL: https://docs.microsoft.com/powershell/module/msonline/connect-msolservice
- "Add, or remove group memberships" link text (document title: "Manage Azure AD group and role membership") replaced with "Add or remove group members using Azure Active Directory"
- old URL: https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups (anchor link jump broken by redirection)
- new URL: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal
Whitespace & formatting changes:
- remove redundant end-of-line blanks (2 occurrences)
- add editorial blank line after MarkDown H2 and H3 headings (4 occurrences)
- MD syntax highlighting phrase "text" corrected to "PowerShell" (MD code blocks containing PS cmdlets)
- reduce double blank spacing in bullet point list to single space (1 occurrence)
- add MD indent marker compatibility spacing (1 occurrence)
Closes #8864
---
.../basic-permissions.md | 21 +++++++++++--------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
index fed2ad3911..730e666b20 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
@@ -13,7 +13,7 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
---
@@ -26,28 +26,30 @@ ms.topic: article
- Azure Active Directory
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
-Refer to the instructions below to use basic permissions management.
+Refer to the instructions below to use basic permissions management.
You can use either of the following solutions:
- Azure PowerShell
-- Azure portal
+- Azure portal
For granular control over permissions, [switch to role-based access control](rbac.md).
## Assign user access using Azure PowerShell
+
You can assign users with one of the following levels of permissions:
- Full access (Read and Write)
- Read-only access
### Before you begin
+
- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
-- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
+- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice).
**Full access**
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
@@ -61,19 +63,20 @@ Assigning read-only access rights requires adding the users to the "Security Rea
Use the following steps to assign security roles:
- For **read and write** access, assign users to the security administrator role by using the following command:
- ```text
+ ```PowerShell
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
```
- For **read-only** access, assign users to the security reader role by using the following command:
- ```text
+ ```PowerShell
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
```
-For more information, see, [Add, or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
+For more information, see [Add or remove group members using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal).
## Assign user access using the Azure portal
-For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
+For more information, see [Assign administrator and non-administrator roles to users with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
## Related topic
+
- [Manage portal access using RBAC](rbac.md)
From 323600c55844d1a9ab3ae8fa613506593d2e963e Mon Sep 17 00:00:00 2001
From: aviveldan <39082532+aviveldan@users.noreply.github.com>
Date: Thu, 24 Dec 2020 17:22:26 +0200
Subject: [PATCH 05/10] Added response fields descriptions table
---
.../microsoft-defender-atp/get-ip-statistics.md | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index b58fd359e9..b3531c3636 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -93,3 +93,12 @@ Content-type: application/json
"orgLastSeen": "2017-08-29T13:32:59Z"
}
```
+
+
+Name | Description
+:---|:---|:---
+Org prevalence | the distinct count of devices that opened network connection to this IP.
+Org first seen | the first connection for this IP in the organization.
+Org last seen | the last connection for this IP in the organization.
+>[!Note]
+> This statistic information is based on data from the past 30 days.
From 682b74814d7c7ba5cd957febffe608deecd99bc6 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 28 Dec 2020 07:12:05 -0800
Subject: [PATCH 06/10] Update
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/get-ip-statistics.md | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index b3531c3636..61b9b25be5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -95,10 +95,11 @@ Content-type: application/json
```
-Name | Description
-:---|:---|:---
-Org prevalence | the distinct count of devices that opened network connection to this IP.
-Org first seen | the first connection for this IP in the organization.
-Org last seen | the last connection for this IP in the organization.
+
+| Name | Description |
+| :--- | :---------- |
+| Org prevalence | the distinct count of devices that opened network connection to this IP. |
+| Org first seen | the first connection for this IP in the organization. |
+| Org last seen | the last connection for this IP in the organization. |
>[!Note]
> This statistic information is based on data from the past 30 days.
From 6d922b5a3fb3fb7380b60f52d6d56804c2192347 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 28 Dec 2020 07:12:12 -0800
Subject: [PATCH 07/10] Update
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/get-ip-statistics.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index 61b9b25be5..4f76236a07 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -101,5 +101,6 @@ Content-type: application/json
| Org prevalence | the distinct count of devices that opened network connection to this IP. |
| Org first seen | the first connection for this IP in the organization. |
| Org last seen | the last connection for this IP in the organization. |
->[!Note]
+
+> [!Note]
> This statistic information is based on data from the past 30 days.
From 5fa5d4f66a21aee83bc4c95be59251909fb92f6e Mon Sep 17 00:00:00 2001
From: jcaparas
Date: Mon, 4 Jan 2021 11:54:51 -0800
Subject: [PATCH 08/10] Update
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/get-ip-statistics.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index 4f76236a07..29ce380e88 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -95,7 +95,6 @@ Content-type: application/json
```
-
| Name | Description |
| :--- | :---------- |
| Org prevalence | the distinct count of devices that opened network connection to this IP. |
From 3e3f2ce52f529fd45b9418b829c4088adb7c7c3f Mon Sep 17 00:00:00 2001
From: jcaparas
Date: Mon, 4 Jan 2021 11:54:59 -0800
Subject: [PATCH 09/10] Update
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/get-ip-statistics.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index 29ce380e88..04c6b1641c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -101,5 +101,5 @@ Content-type: application/json
| Org first seen | the first connection for this IP in the organization. |
| Org last seen | the last connection for this IP in the organization. |
-> [!Note]
+> [!NOTE]
> This statistic information is based on data from the past 30 days.
From deb2b53038b3bdeedd956430e3c3c77b3308a5d6 Mon Sep 17 00:00:00 2001
From: jcaparas
Date: Mon, 4 Jan 2021 11:55:42 -0800
Subject: [PATCH 10/10] Update get-ip-statistics.md
---
.../microsoft-defender-atp/get-ip-statistics.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index 04c6b1641c..ca568de79c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -42,7 +42,7 @@ Permission type | Permission | Permission display name
Application | Ip.Read.All | 'Read IP address profiles'
Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
->[!Note]
+>[!NOTE]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)