deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 04:43:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

Browse Source
This commit is contained in:
officedocspr
2019-09-19 18:30:14 +00:00
parent 0d7a3b431a e65c4bdb20
commit f6295e0acf
228 changed files with 25511 additions and 25162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
windows/security/threat-protection/TOC.md
View File

@ -455,8 +455,11 @@
##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
##### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
#### [Interoperability]()
#### [Partners & APIs]()
##### [Partner applications](microsoft-defender-atp/partner-applications.md)
##### [Connected applications](microsoft-defender-atp/connected-applications.md)
##### [API explorer](microsoft-defender-atp/api-explorer.md)
#### [Manage machine configuration]()
##### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md)

61
windows/security/threat-protection/microsoft-defender-atp/api-explorer.md Normal file
View File

@ -0,0 +1,61 @@
---
title: API Explorer in Microsoft Defender ATP
ms.reviewer:
description: Use the API Explorer to construct and perform API queries, test and send requests for any available API
keywords: api, explorer, send, request, get, post,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# API Explorer
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively.
The API Explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. You can also use the API Explorer to perform actions or find data that might not yet be available through the user interface.
The tool is useful during app development because it allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens.
You can also use the tool to explore the gallery of sample queries, copy result code samples, and generate debug information.
With the API Explorer, you can:
- Run requests for any method and see responses in real-time
- Quickly browse through the API samples and learn what parameters they support
- Make API calls with ease; no need to authenticate beyond the management portal sign-in
## Access API Explorer
From the left navigation menu, select **Partners & APIs** > **API Explorer**.
## Supported APIs
API Explorer supports all the APIs offered by Microsoft Defender ATP.
The list of supported APIs is available in the [APIs documentation](apis-intro.md).
## Get started with the API Explorer
1. In the left pane, there is a list of sample requests that you can use.
2. Follow the links and click **Run query**.
Some of the samples may require specifying a parameter in the URL, for example, {machine- id}.
## FAQ
**Do I need to have an API token to use the API Explorer?** <br>
Credentials to access an API are not needed since the API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request.
The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf.
Specific API requests are limited based on your RBAC privileges; for example, a request to "Submit indicator" is limited to the security admin role.

2
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -109,7 +109,7 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
Service location | Microsoft.com DNS record
-|-
Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```<br>```notify.windows.com```
Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```<br>```notify.windows.com```<br> ```settings-win.data.microsoft.com ```
European Union | ```eu.vortex-win.data.microsoft.com```<br>```eu-v20.events.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br>```winatp-gw-weu.microsoft.com```
United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com```<br>```winatp-gw-uks.microsoft.com```<br>```winatp-gw-ukw.microsoft.com```
United States | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```

45
windows/security/threat-protection/microsoft-defender-atp/connected-applications.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Connected applications in Microsoft Defender ATP
ms.reviewer:
description: View connected partner applications to Microsoft Defender ATP
keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Connected applications in Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
Connected applications integrates with the Microsoft Defender ATP platform using APIs.
Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app.
You'll need to follow [these steps](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro) to use the APIs with the connected application.
## Access the connected application page
From the left navigation menu, select **Partners & APIs** > **Connected AAD applications**.
## View connected application details
The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days.
![Image of connected apps](images/connected-apps.png)
## Edit, reconfigure, or delete a connected application
The **Open application settings** link opens the corresponding Azure AD application management page in the Azure portal. From the Azure portal, you can manage permissions, reconfigure, or delete the connected applications.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/connected-apps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

4
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -42,6 +42,10 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
- [Connected Azure AD applications](connected-applications.md)<br> The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization.
- [API Explorer](api-explorer.md)<br> The API explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint.
- [Tamper Protection settings in Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-with-intune)<br/>You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune).
- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md) <BR> You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.

53
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
View File

@ -62,6 +62,23 @@ Whether real-time protection (scan files as they are accessed) is enabled or not
| **Data type** | Boolean |
| **Possible values** | true (default) <br/> false |
#### Enable / disable passive mode
Whether the antivirus engine runs in passive mode or not. In passive mode:
- Real-time protection is turned off
- On demand scanning is turned on
- Automatic threat remediation is turned off
- Security intelligence updates are turned on
- Status menu icon is hidden
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | passiveMode |
| **Data type** | Boolean |
| **Possible values** | false (default) <br/> true |
| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |
#### Scan exclusions
Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
@ -213,6 +230,28 @@ Determines whether suspicious samples (that are likely to contain threats) are s
| **Data type** | Boolean |
| **Possible values** | true (default) <br/> false |
### User interface preferences
The *userInterface* section of the configuration profile is used to manage the preferences of the user interface of the product.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | userInterface |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
#### Show / hide status menu icon
Whether the status menu icon (shown in the top right corner of the screen) is hidden or not.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | hideStatusMenuIcon |
| **Data type** | Boolean |
| **Possible values** | false (default) <br/> true |
## Recommended configuration profile
To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
@ -357,6 +396,8 @@ The following configuration profile contains entries for all settings described
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>passiveMode</key>
<false/>
<key>exclusions</key>
<array>
<dict>
@ -411,6 +452,11 @@ The following configuration profile contains entries for all settings described
<key>automaticSampleSubmission</key>
<true/>
</dict>
<key>userInterface</key>
<dict>
<key>hideStatusMenuIcon</key>
<false/>
</dict>
</dict>
</plist>
```
@ -465,6 +511,8 @@ The following configuration profile contains entries for all settings described
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>passiveMode</key>
<false/>
<key>exclusions</key>
<array>
<dict>
@ -519,6 +567,11 @@ The following configuration profile contains entries for all settings described
<key>automaticSampleSubmission</key>
<true/>
</dict>
<key>userInterface</key>
<dict>
<key>hideStatusMenuIcon</key>
<false/>
</dict>
</dict>
</array>
</dict>

72
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md
View File

@ -116,6 +116,7 @@ The following fields are collected:
| Field | Description |
| --------------------------------------------------- | ----------- |
| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. |
| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. |
| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
@ -123,6 +124,8 @@ The following fields are collected:
| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
| cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. |
| edr.early_preview | Whether the machine should run EDR early preview features. |
| edr.group_id | Group identifier used by the detection and response component. |
| edr.tags | User-defined tags. |
| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
#### Product and service performance data events
@ -230,37 +233,44 @@ The following fields are collected:
| Field | Description |
| ------------------------------ | ----------- |
| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. |
| pkt_ack_conn_timeout | |
| ipc.ack_pkts | |
| ipc.nack_pkts | |
| ipc.send.ack_no_conn | |
| ipc.send.nack_no_conn | |
| ipc.send.ack_no_qsq | |
| ipc.send.nack_no_qsq | |
| ipc.ack.no_space | |
| ipc.ack.timeout | |
| ipc.ack.ackd_fast | |
| ipc.ack.ackd | |
| ipc.recv.bad_pkt_len | |
| ipc.recv.bad_reply_len | |
| ipc.recv.no_waiter | |
| ipc.recv.copy_failed | |
| ipc.kauth.vnode.mask | |
| ipc.kauth.vnode.read | |
| ipc.kauth.vnode.write | |
| ipc.kauth.vnode.exec | |
| ipc.kauth.vnode.del | |
| ipc.kauth.vnode.read_attr | |
| ipc.kauth.vnode.write_attr | |
| ipc.kauth.vnode.read_ex_attr | |
| ipc.kauth.vnode.write_ex_attr | |
| ipc.kauth.vnode.read_sec | |
| ipc.kauth.vnode.write_sec | |
| ipc.kauth.vnode.take_own | |
| ipc.kauth.vnode.denied | |
| ipc.kauth.file_op.mask | |
| ipc.kauth_file_op.open | |
| ipc.kauth.file_op.close | |
| pkt_ack_conn_timeout | |
| ipc.ack_pkts | |
| ipc.nack_pkts | |
| ipc.send.ack_no_conn | |
| ipc.send.nack_no_conn | |
| ipc.send.ack_no_qsq | |
| ipc.send.nack_no_qsq | |
| ipc.ack.no_space | |
| ipc.ack.timeout | |
| ipc.ack.ackd_fast | |
| ipc.ack.ackd | |
| ipc.recv.bad_pkt_len | |
| ipc.recv.bad_reply_len | |
| ipc.recv.no_waiter | |
| ipc.recv.copy_failed | |
| ipc.kauth.vnode.mask | |
| ipc.kauth.vnode.read | |
| ipc.kauth.vnode.write | |
| ipc.kauth.vnode.exec | |
| ipc.kauth.vnode.del | |
| ipc.kauth.vnode.read_attr | |
| ipc.kauth.vnode.write_attr | |
| ipc.kauth.vnode.read_ex_attr | |
| ipc.kauth.vnode.write_ex_attr | |
| ipc.kauth.vnode.read_sec | |
| ipc.kauth.vnode.write_sec | |
| ipc.kauth.vnode.take_own | |
| ipc.kauth.vnode.denied | |
| ipc.kauth.file_op.mask | |
| ipc.kauth_file_op.open | |
| ipc.kauth.file_op.close | |
| ipc.kauth.file_op.close_modified | |
| ipc.kauth.file_op.move | |
| ipc.kauth.file_op.link | |
| ipc.kauth.file_op.exec | |
| ipc.kauth.file_op.remove | |
| ipc.kauth.file_op.fork | |
| ipc.kauth.file_op.create | |
## Resources

63
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
View File

@ -11,35 +11,28 @@ ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
ms.date: 06/11/2019
ms.reviewer:
manager: dansimp
---
# Windows Defender Antivirus
# Next Generation Protection in Windows 10 and Windows Server 2016
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Windows Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
Next-gen protection provides enhanced safety, alongside more traditional security measures. Next-gen services use machine learning and the cloud to keep all devices on your enterprise network safe.
Windows Defender Antivirus includes:
- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus.
- [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection")
- [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
Next-gen protection services include:
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)
You can configure and manage Windows Defender Antivirus with:
- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP)
- Microsoft Intune
- PowerShell
- Windows Management Instrumentation (WMI)
- Group Policy
- [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), also known as "real-time protection", for advanced file and process behavior monitoring
- [Cloud-based delivery](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for near-instant detection and blocking of new and emerging threats
- [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) powered by machine-learning, big-data analysis, and in-depth threat resistance research
>[!TIP]
>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
>
>- Cloud-delivered protection
>- Fast learning (including Block at first sight)
>- Potentially unwanted application blocking
@ -50,11 +43,24 @@ You can configure and manage Windows Defender Antivirus with:
<a id="sysreq"></a>
## Minimum system requirements
Windows Defender AV has the same hardware requirements as Windows 10. For more information, see:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
Windows Defender Antivirus is our main vehicle for next-gen protection.
Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016; however, [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
It has the same hardware requirements as Windows 10. For more information, see:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
## Configuring next-gen services
You can use the following to configure and manage next-gen services in Windows 10, while running Windows Defender Antivirus:
- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP)
- Microsoft Intune
- PowerShell
- Windows Management Instrumentation (WMI)
- Group Policy
Configuration and management is largely the same in Windows Server 2016, while running Windows Defender Antivirus; however, [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
>[!TIP]
>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
@ -64,13 +70,10 @@ Functionality, configuration, and management is largely the same when using Wind
## Related topics
- [Windows Defender AV in the Windows Security app](windows-defender-security-center-antivirus.md)
- [Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)
- [Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md)
- [Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md)
- [Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md)
- [Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md)
- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Full version history for Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
- [Windows Defender Antivirus management and configuration](configuration-management-reference-windows-defender-antivirus.md)
- [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
- [Enable cloud protection](enable-cloud-protection-windows-defender-antivirus.md)
- [Configure real-time protection](configure-real-time-protection-windows-defender-antivirus.md)
- [Configure cloud block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)
- [Create and deploy cloud-protected antimalware policies](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service.md)