From 913a0f4348b2548826571426d0ad0ce82c2566fd Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 30 Mar 2020 15:05:15 -0700 Subject: [PATCH 1/8] add log analytics proxy info --- .../microsoft-defender-atp/configure-proxy-internet.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index f810639c75..c6e9501477 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -120,6 +120,16 @@ United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.bl If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. +### Log analytics agent requirements + +The information below list the proxy and firewall configuration information required to communicate with log analytics. + +|Agent Resource|Ports |Direction |Bypass HTTPS inspection| +|------|---------|--------|--------| +|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes | +|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes | +|*.blob.core.windows.net |Port 443 |Outbound|Yes | + ## Microsoft Defender ATP service backend IP range If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information. From dd38b1b8e1f1a541fb11d6e96207edf274f10fbf Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 30 Mar 2020 15:39:16 -0700 Subject: [PATCH 2/8] update --- .../microsoft-defender-atp/configure-proxy-internet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index c6e9501477..289aefb10c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -122,7 +122,7 @@ If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP ### Log analytics agent requirements -The information below list the proxy and firewall configuration information required to communicate with log analytics. +The information below list the proxy and firewall configuration information required to communicate with log analytics agent (previously known as Microsoft Monitoring Agent) for the downlevel versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. |Agent Resource|Ports |Direction |Bypass HTTPS inspection| |------|---------|--------|--------| From d1a3b471f985382b624eee9566bfe9a7a5231da9 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 1 Apr 2020 11:05:32 -0700 Subject: [PATCH 3/8] update link --- .../microsoft-defender-atp/configure-server-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 75e7f8f006..e1b6576f62 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -113,7 +113,7 @@ The following steps are required to enable this integration: On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). -3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings). +3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md). Once completed, you should see onboarded servers in the portal within an hour. From ef2f8e295ad772fff982f89a0a1989a8181dfd91 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 1 Apr 2020 11:33:47 -0700 Subject: [PATCH 4/8] tweak --- .../microsoft-defender-atp/configure-proxy-internet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 289aefb10c..78013f4a20 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -122,7 +122,7 @@ If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP ### Log analytics agent requirements -The information below list the proxy and firewall configuration information required to communicate with log analytics agent (previously known as Microsoft Monitoring Agent) for the downlevel versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. +The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. |Agent Resource|Ports |Direction |Bypass HTTPS inspection| |------|---------|--------|--------| From c0528c4694265c93cae6982a5d9a0adb30001c76 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 1 Apr 2020 14:38:09 -0700 Subject: [PATCH 5/8] Indented a note in a list item --- .../microsoft-defender-atp/configure-proxy-internet.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 78013f4a20..4654624800 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -38,8 +38,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Transparent proxy - Web Proxy Auto-discovery Protocol (WPAD) -> [!NOTE] -> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + > [!NOTE] + > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). - Manual static proxy configuration: - Registry based configuration From b354b6ed9009bf010f54a2e2a64a001b42c37ca8 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 1 Apr 2020 14:59:26 -0700 Subject: [PATCH 6/8] Corrected code block that wasn't rendered --- .../microsoft-defender-atp/configure-server-endpoints.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index e1b6576f62..6e70b912af 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -153,11 +153,13 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh b. Run the following PowerShell command to verify that the passive mode was configured: - ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}``` + ```PowerShell + Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} + ``` c. Confirm that a recent event containing the passive mode event is found: - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) 3. Run the following command to check if Windows Defender AV is installed: From 37b683b9b9bfdb5593799beaf0cfd39d24c2f5dc Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 1 Apr 2020 15:16:53 -0700 Subject: [PATCH 7/8] Fixing indented content... ... I don't see why this is failing, but here's another attempt at fixing. --- .../microsoft-defender-atp/configure-server-endpoints.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 6e70b912af..6aaf3ab272 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -153,13 +153,13 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh b. Run the following PowerShell command to verify that the passive mode was configured: - ```PowerShell - Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} - ``` + ```PowerShell + Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} + ``` c. Confirm that a recent event containing the passive mode event is found: - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) 3. Run the following command to check if Windows Defender AV is installed: From 349b533d5af3ac3c4af8dc07c318350a6c5b07cc Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 1 Apr 2020 15:36:31 -0700 Subject: [PATCH 8/8] Indented a note in a list item --- .../microsoft-defender-atp/configure-server-endpoints.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 6aaf3ab272..60c1eea5f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -174,8 +174,8 @@ Microsoft Defender ATP integrates with Azure Security Center to provide a compre The following capabilities are included in this integration: - Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). -> [!NOTE] -> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. + > [!NOTE] + > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. - Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach