deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

merge from master

Browse Source
This commit is contained in:
Joey Caparas
2018-10-22 13:21:34 -07:00
parent 2cb6f106c6 566da26a55
commit f101b296ac
19 changed files with 143 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: tedhardyMSFT
ms.date: 10/18/2018
ms.date: 10/22/2018
---
# How to get a list of XML data name elements in EventData
@ -85,9 +85,9 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template
## Mapping data name elements to the names in an event description
You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description.
You can use the &lt;Template&gt; and &lt;Description&gt; to map the data name elements that appear in XML view to the names that appear in the event description.
The <Description> is just the format string (if youre used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>.
The &lt;Description&gt; is just the format string (if youre used to Console.Writeline or sprintf statements) and the &lt;Template&gt; is the source of the input parameters for the &lt;Description&gt;.
Using Security event 4734 as an example:
@ -125,5 +125,5 @@ For the "Subject: Security Id:" text element, it will use the fourth element in
For "Additional Information Privileges:", it would use the eighth element "PrivelegeList".
A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
A caveat to this is an oft-overlooked property of events called Version (in the &lt;SYSTEM&gt; element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.

4
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -21,6 +21,10 @@
##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
##### [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)
#### [Incidents queue](incidents-queue.md)
##### [View and organize the Incidents queue](view-incidents-queue.md)
##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
##### [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)
#### Alerts queue

3
windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
View File

@ -41,6 +41,9 @@ The following features are included in the preview release:
- [Threat analytics](threat-analytics.md)<br>
Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
- [Incidents](incidents-queue.md)<br>
Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
- [Custom detection](overview-custom-detections.md)<br>
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.