deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'TVMAdvHuntUpdates' into TVMAdvHuntUpd8s

Browse Source
This commit is contained in:
Dolcita Montemayor 2019-10-28 15:49:57 -07:00
commit f923f29ef2
9 changed files with 246 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
windows/security/threat-protection/TOC.md
View File

@ -122,6 +122,11 @@
##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
##### [DeviceTvmSoftwareInventoryVulnerabilities table](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
##### [DeviceTvmSoftwareVulnerabilitiesKB table](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
##### [DeviceTvmSecureConfigurationAssessment table](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
##### [DeviceTvmSecureConfigurationAssessmentKB table](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
###### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -45,6 +45,10 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Vulnerabilities in your software inventory |
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Publicly-available vulnerabilities and whether they exist in your software inventory |
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Security configuration assessment information |
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Basis of security configuration assessment such as security industry standards and benchmarks |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)

51
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md Normal file
View File

@ -0,0 +1,51 @@
---
title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema
description: Learn about the DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema, such as machine ID, computer name, operating system platform, security configuration details, impact, and compliance information.
keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSecureConfigurationAssessment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/27/2019
---
# DeviceTvmSecureConfigurationAssessment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema contains the variables needed in searching for security configuration assessment for devices. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
| Timestamp | datetime |Date and time when the record was generated|
| ConfigurationId | string | Unique identifier for a specific configuration |
| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
| IsCompliant | string | Indicates whether the configuration or policy is properly configured |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

51
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md Normal file
View File

@ -0,0 +1,51 @@
---
title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema
description: Learn about the DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema, security configuration details, and the associated industry benchmarks that it adheres to.
keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, MITRE ATT&CK framework, DeviceTvmSecureConfigurationAssessmentKB
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/27/2019
---
# DeviceTvmSecureConfigurationAssessmentKB
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains the variables needed in searching for your device security configuration information along with the associated security industry benchmarks it adheres to. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| ConfigurationId | string | Unique identifier for a specific configuration |
| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
| ConfigurationName | string | Display name of the configuration |
| ConfigurationDescription | string | Description of the configuration |
| RiskDescription | string | Description of the associated risk |
| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration |
| RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques observed |
| RelatedMitreTactics | string | List of Mitre ATT&CK framework tactics observed |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

56
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md Normal file
View File

@ -0,0 +1,56 @@
---
title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema
description: Learn about the DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema, such as operating system platform, version, and architecture, software vendor, name, and version, CVE ID, vulnerability severity, and descriptions
keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software inventory, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareInventoryVulnerabilities
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/27/2019
---
# DeviceTvmSoftwareInventoryVulnerabilities
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](prerelease.md)]
The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains information needed in searching for vulnerabilities in your software inventory. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
| OSVersion | string | Version of the operating system running on the machine |
| OSArchitecture | string | Architecture of the operating system running on the machine|
| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
| SoftwareName | string | Name of the software product|
|SoftwareVersion | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
| CveId | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

49
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md Normal file
View File

@ -0,0 +1,49 @@
---
title: DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema
description: Learn about the DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema, such as CVE ID, CVSS score, exploit availability, vulnerability severity, last modified time, date the vulnerability was disclosed to public, and affected software in your network.
keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareVulnerabilitiesKB
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/27/2019
---
# DeviceTvmSoftwareVulnerabilitiesKB
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains information needed in searching for information about publicly available vulnerabilities and whether they exist in your software inventory. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system|
| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)|
| IsExploitAvailable | string | Indicates whether exploit code for the vulnerability is publicly available|
| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape|
| LastModifiedTime | datetime | Date and time the item or related metadata was last modified|
| PublishedDate | datetime | Date vulnerability was disclosed to public|
| VulnerabilityDescription | string | Description of vulnerability and associated risks|
| AffectedSoftware | string | List of all software products affected by the vulnerability|
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

6
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -42,11 +42,15 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md) <BR> You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.
- [Indicators for IP addresses, URLs/Domains](manage-indicators.md) <BR> You can now allow or block URLs/domains using your own threat intelligence.
- [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac) <BR> Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).
- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table) <BR> You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization.

25
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -150,6 +150,29 @@ When an exception is created for a recommendation, the recommendation is no long
6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
## Use Advanced hunting query to search for machines with High active alerts or critical CVE public exploit
1. Go to **Advanced hunting** from the left-hand navigation pane.
2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
3. Enter the following queries:
```
// Search for machines with High active alerts or Critical CVE public exploit
DeviceTvmSoftwareInventoryVulnerabilities
| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
| where IsExploitAvailable == 1 and CvssScore >= 7
| summarize NumOfVulnerabilities=dcount(CveId),
ComputerName=any(ComputerName) by MachineId
| join kind =inner(AlertEvents) on MachineId
| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
ComputerName=any(ComputerName) by MachineId, AlertId
| project ComputerName, NumOfVulnerabilities, AlertId
| order by NumOfVulnerabilities desc
```
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
@ -159,3 +182,5 @@ When an exception is created for a recommendation, the recommendation is no long
- [Remediation](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)

2
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -79,8 +79,6 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)