mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-24 14:53:44 +00:00
Merge branch 'master' into tvm-updates
This commit is contained in:
Beth Levin
@ -443,7 +443,7 @@
|
||||
### [Configure integration with other Microsoft solutions]()
|
||||
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
|
||||
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
|
||||
#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
|
||||
|
||||
|
||||
|
||||
## Reference
|
||||
|
||||
@ -102,7 +102,8 @@ See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/
|
||||
|
||||
## Enable access to Microsoft Defender ATP service URLs in the proxy server
|
||||
|
||||
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are not blocked by default. Do not disable security monitoring or inspection of these URLs, but allow them as you would other internet traffic. They permit communication with Microsoft Defender ATP service in port 80 and 443:
|
||||
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed below to the allowed domains list.
|
||||
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
|
||||
|
||||
> [!NOTE]
|
||||
> settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.<br>
|
||||
|
||||
|
Before Width: | Height: | Size: 24 KiB After Width: | Height: | Size: 24 KiB |
|
Before Width: | Height: | Size: 80 KiB After Width: | Height: | Size: 80 KiB |
|
Before Width: | Height: | Size: 51 KiB After Width: | Height: | Size: 51 KiB |
|
Before Width: | Height: | Size: 52 KiB After Width: | Height: | Size: 52 KiB |
|
Before Width: | Height: | Size: 96 KiB After Width: | Height: | Size: 96 KiB |
|
Before Width: | Height: | Size: 61 KiB After Width: | Height: | Size: 61 KiB |
|
Before Width: | Height: | Size: 53 KiB After Width: | Height: | Size: 53 KiB |
|
Before Width: | Height: | Size: 83 KiB After Width: | Height: | Size: 83 KiB |
|
Before Width: | Height: | Size: 42 KiB After Width: | Height: | Size: 42 KiB |
|
Before Width: | Height: | Size: 83 KiB After Width: | Height: | Size: 83 KiB |
|
Before Width: | Height: | Size: 52 KiB After Width: | Height: | Size: 52 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 162 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 75 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 116 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 110 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 97 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 99 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 130 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 150 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 104 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 100 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 46 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 95 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 126 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 120 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 85 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 91 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 93 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 114 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 129 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 125 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 187 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 48 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 98 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 170 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 111 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 104 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 95 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 95 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 126 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 115 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 83 KiB |
@ -1,95 +0,0 @@
|
||||
---
|
||||
title: Configure information protection in Windows
|
||||
ms.reviewer:
|
||||
description: Learn how to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
|
||||
keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Configure information protection in Windows
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
|
||||
|
||||
>[!TIP]
|
||||
> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
|
||||
|
||||
If a file meets the criteria set in the policy settings and endpoint data loss prevention setting is also configured, WIP will be enabled for that file.
|
||||
|
||||
|
||||
|
||||
## Prerequisites
|
||||
- Endpoints need to be on Windows 10, version 1809 or later
|
||||
- You need the appropriate license to use the Microsoft Defender ATP and Azure Information Protection integration
|
||||
- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information, see [Configure a Log Analytics workspace for the reports](https://docs.microsoft.com/azure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports)
|
||||
|
||||
|
||||
## Configure endpoint data loss prevention
|
||||
Complete the following steps so that Microsoft Defender ATP can automatically identify labeled documents stored on the device and enable WIP on them.
|
||||
|
||||
>[!NOTE]
|
||||
>- The Microsoft Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy.
|
||||
>- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data.
|
||||
|
||||
1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step.
|
||||
2. Define which labels need to get WIP protection in Office 365 Security and Compliance.
|
||||
|
||||
1. Go to: **Classifications > Labels**.
|
||||
2. Create a label or edit an existing one.
|
||||
3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP.
|
||||
|
||||
|
||||
|
||||
4. Repeat for every label that you want to get WIP applied to in Windows.
|
||||
|
||||
|
||||
|
||||
|
||||
## Configure auto labeling
|
||||
|
||||
Windows automatically detects when an Office file, CSV, or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
|
||||
|
||||
Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled. The file is protected with Endpoint data loss prevention.
|
||||
|
||||
>[!NOTE]
|
||||
> Auto-labeling requires Windows 10, version 1903.
|
||||
|
||||
|
||||
1. In Office 365 Security & Compliance, go to **Classifications > Labels**.
|
||||
|
||||
2. Create a new label or edit an existing one.
|
||||
|
||||
|
||||
3. Set a policy for Data classification:
|
||||
|
||||
1. Go through the label creation wizard.
|
||||
2. When you reach the Auto labeling page, turn on auto labeling toggle on.
|
||||
3. Add a new auto-labeling rule with the conditions that you require.
|
||||
|
||||
|
||||
|
||||
4. Validate that "When content matches these conditions" setting is set to "Automatically apply the label".
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Related topic
|
||||
- [Information protection in Windows overview](information-protection-in-windows-overview.md)
|
||||
@ -27,7 +27,6 @@ ms.topic: conceptual
|
||||
|
||||
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
|
||||
|
||||
Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite.
|
||||
|
||||
>[!TIP]
|
||||
> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
|
||||
@ -95,36 +94,6 @@ InformationProtectionLogs_CL
|
||||
- Enable Azure Information Protection integration in Microsoft Defender Security Center:
|
||||
- Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**.
|
||||
|
||||
## Data protection
|
||||
|
||||
### Endpoint data loss prevention
|
||||
|
||||
For data to be protected, they must first be identified through labels.
|
||||
|
||||
Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them.
|
||||
|
||||
When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention.
|
||||
|
||||
For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices).
|
||||
|
||||
|
||||
|
||||
Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy.
|
||||
|
||||
This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin.
|
||||
|
||||
For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
|
||||
|
||||
## Auto labeling
|
||||
|
||||
Auto labeling is another way to protect data and can also be configured in Office 365 Security & Compliance Center. Windows automatically detects when an Office file, PDF, CSV or TXT files are being created on a device and inspects it based on context to identify sensitive information types.
|
||||
|
||||
Those information types are evaluated against the auto-labeling policy. If a match is found, it is processed in the same way as if the file was labeled; the file is protected with Endpoint data loss prevention.
|
||||
|
||||
> [!NOTE]
|
||||
> Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves.
|
||||
|
||||
For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md).
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Investigate entities on machines using live response in Microsoft Defender ATP
|
||||
description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time.
|
||||
description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real time.
|
||||
keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file,
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -17,29 +17,42 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Investigate entities on machines using live response
|
||||
# Investigate entities on devices using live response
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
|
||||
Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time.
|
||||
Live response is a capability that gives your security operations team instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats –- in real time.
|
||||
|
||||
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
|
||||
Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
|
||||
|
||||
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUW]
|
||||
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW]
|
||||
|
||||
With live response, analysts will have the ability to:
|
||||
- Run basic and advanced commands to do investigative work
|
||||
With live response, analysts can do all of the following tasks:
|
||||
- Run basic and advanced commands to do investigative work on a device
|
||||
- Download files such as malware samples and outcomes of PowerShell scripts
|
||||
- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level
|
||||
- Download files in the background (new!)
|
||||
- Upload a PowerShell script or executable to the library and run it on a device from a tenant level
|
||||
- Take or undo remediation actions
|
||||
|
||||
|
||||
## Before you begin
|
||||
Before you can initiate a session on a machine, make sure you fulfill the following requirements:
|
||||
|
||||
- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later.
|
||||
Before you can initiate a session on a device, make sure you fulfill the following requirements:
|
||||
|
||||
- **Verify that you're running a supported version of Windows 10** <br/>
|
||||
Devices must be running one of the following versions of Windows 10:
|
||||
- [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later
|
||||
- [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
|
||||
- [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
|
||||
- [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
|
||||
- [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
|
||||
|
||||
- **Make sure to install appropriate security updates**<br/>
|
||||
- 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
|
||||
- 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
|
||||
- 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
|
||||
- 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
|
||||
|
||||
- **Enable live response from the settings page**<br>
|
||||
You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
|
||||
@ -52,18 +65,18 @@ You'll need to enable the live response capability in the [Advanced features set
|
||||
>[!WARNING]
|
||||
>Allowing the use of unsigned scripts may increase your exposure to threats.
|
||||
|
||||
Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
|
||||
Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
|
||||
|
||||
- **Ensure that you have the appropriate permissions**<br>
|
||||
Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md).
|
||||
Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md).
|
||||
|
||||
> [!IMPORTANT]
|
||||
> The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions.
|
||||
|
||||
Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role.
|
||||
Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role.
|
||||
|
||||
## Live response dashboard overview
|
||||
When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as:
|
||||
When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following:
|
||||
|
||||
- Who created the session
|
||||
- When the session started
|
||||
@ -79,81 +92,109 @@ The dashboard also gives you access to:
|
||||
## Initiate a live response session on a machine
|
||||
|
||||
1. Log in to Microsoft Defender Security Center.
|
||||
2. Navigate to the machines list page and select a machine to investigate. The machine page opens.
|
||||
|
||||
>[!NOTE]
|
||||
>Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later.
|
||||
2. Navigate to the devices list page and select a machine to investigate. The machines page opens.
|
||||
|
||||
2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine.
|
||||
3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands).
|
||||
4. After completing your investigation, select **Disconnect session**, then select **Confirm**.
|
||||
3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device.
|
||||
|
||||
4. Use the built-in commands to do investigative work. For more information, see [Live response commands](#live-response-commands).
|
||||
|
||||
5. After completing your investigation, select **Disconnect session**, then select **Confirm**.
|
||||
|
||||
## Live response commands
|
||||
Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md).
|
||||
|
||||
Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md).
|
||||
|
||||
### Basic commands
|
||||
The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
|
||||
|
||||
Command | Description
|
||||
:---|:---|:---
|
||||
cd | Changes the current directory.
|
||||
cls | Clears the console screen.
|
||||
connect | Initiates a live response session to the machine.
|
||||
connections | Shows all the active connections.
|
||||
dir | Shows a list of files and subdirectories in a directory
|
||||
drivers | Shows all drivers installed on the machine.
|
||||
fileinfo | Get information about a file.
|
||||
findfile | Locates files by a given name on the machine.
|
||||
help | Provides help information for live response commands.
|
||||
persistence | Shows all known persistence methods on the machine.
|
||||
processes | Shows all processes running on the machine.
|
||||
registry | Shows registry values.
|
||||
scheduledtasks| Shows all scheduled tasks on the machine.
|
||||
services | Shows all services on the machine.
|
||||
trace | Sets the terminal's logging mode to debug.
|
||||
The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
|
||||
|
||||
| Command | Description |
|
||||
|---|---|--- |
|
||||
|`cd` | Changes the current directory. |
|
||||
|`cls` | Clears the console screen. |
|
||||
|`connect` | Initiates a live response session to the device. |
|
||||
|`connections` | Shows all the active connections. |
|
||||
|`dir` | Shows a list of files and subdirectories in a directory. |
|
||||
|`download <file_path> &` | Downloads a file in the background. |
|
||||
drivers | Shows all drivers installed on the device. |
|
||||
|`fg <command ID>` | Returns a file download to the foreground. |
|
||||
|`fileinfo` | Get information about a file. |
|
||||
|`findfile` | Locates files by a given name on the device. |
|
||||
|`help` | Provides help information for live response commands. |
|
||||
|`persistence` | Shows all known persistence methods on the device. |
|
||||
|`processes` | Shows all processes running on the device. |
|
||||
|`registry` | Shows registry values. |
|
||||
|`scheduledtasks` | Shows all scheduled tasks on the device. |
|
||||
|`services` | Shows all services on the device. |
|
||||
|`trace` | Sets the terminal's logging mode to debug. |
|
||||
|
||||
### Advanced commands
|
||||
The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
|
||||
The following commands are available for user roles that are granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md).
|
||||
|
||||
Command | Description
|
||||
:---|:---
|
||||
analyze | Analyses the entity with various incrimination engines to reach a verdict.
|
||||
getfile | Gets a file from the machine. <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command.
|
||||
run | Runs a PowerShell script from the library on the machine.
|
||||
library | Lists files that were uploaded to the live response library.
|
||||
putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default.
|
||||
remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
|
||||
undo | Restores an entity that was remediated.
|
||||
| Command | Description |
|
||||
|---|---|
|
||||
| `analyze` | Analyses the entity with various incrimination engines to reach a verdict. |
|
||||
| `getfile` | Gets a file from the device. <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. |
|
||||
| `run` | Runs a PowerShell script from the library on the device. |
|
||||
| `library` | Lists files that were uploaded to the live response library. |
|
||||
| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. |
|
||||
| `remediate` | Remediates an entity on the device. The remediation action will vary depending on the entity type:<br>- File: delete<br>- Process: stop, delete image file<br>- Service: stop, delete image file<br>- Registry entry: delete<br>- Scheduled task: remove<br>- Startup folder item: delete file <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
|
||||
|`undo` | Restores an entity that was remediated. |
|
||||
|
||||
|
||||
## Use live response commands
|
||||
|
||||
The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c).
|
||||
|
||||
The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity.
|
||||
The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity.
|
||||
|
||||
### Get a file from the machine
|
||||
For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation.
|
||||
|
||||
For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation.
|
||||
|
||||
>[!NOTE]
|
||||
>There is a file size limit of 750mb.
|
||||
|
||||
### Download a file in the background
|
||||
|
||||
To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background.
|
||||
|
||||
- To download a file in the background, in the live response command console, type `download <file_path> &`
|
||||
- If you are waiting for a file to be downloaded, you can move it to the background by using Ctrl + Z.
|
||||
- To bring a file download to the foreground, in the live response command console, type `fg <command_id>`
|
||||
|
||||
Here are some examples:
|
||||
|
||||
|
||||
|Command |What it does |
|
||||
|---------|---------|
|
||||
|`"C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. |
|
||||
|`fg 1234` |Returns a download with command ID *1234* to the foreground |
|
||||
|
||||
|
||||
### Put a file in the library
|
||||
|
||||
Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.
|
||||
|
||||
Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them.
|
||||
|
||||
You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with.
|
||||
You can have a collection of PowerShell scripts that can run on devices that you initiate live response sessions with.
|
||||
|
||||
#### To upload a file in the library
|
||||
|
||||
**To upload a file in the library:**
|
||||
1. Click **Upload file to library**.
|
||||
|
||||
2. Click **Browse** and select the file.
|
||||
|
||||
3. Provide a brief description.
|
||||
|
||||
4. Specify if you'd like to overwrite a file with the same name.
|
||||
|
||||
5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.
|
||||
|
||||
6. Click **Confirm**.
|
||||
|
||||
7. (Optional) To verify that the file was uploaded to the library, run the `library` command.
|
||||
|
||||
|
||||
@ -163,9 +204,8 @@ Anytime during a session, you can cancel a command by pressing CTRL + C.
|
||||
>[!WARNING]
|
||||
>Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
|
||||
|
||||
|
||||
|
||||
### Automatically run prerequisite commands
|
||||
|
||||
Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error.
|
||||
|
||||
You can use the auto flag to automatically run prerequisite commands, for example:
|
||||
@ -174,8 +214,8 @@ You can use the auto flag to automatically run prerequisite commands, for exampl
|
||||
getfile c:\Users\user\Desktop\work.txt -auto
|
||||
```
|
||||
|
||||
|
||||
## Run a PowerShell script
|
||||
|
||||
Before you can run a PowerShell script, you must first upload it to the library.
|
||||
|
||||
After uploading the script to the library, use the `run` command to run the script.
|
||||
@ -185,9 +225,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the
|
||||
>[!WARNING]
|
||||
>Allowing the use of unsigned scripts may increase your exposure to threats.
|
||||
|
||||
|
||||
|
||||
## Apply command parameters
|
||||
|
||||
- View the console help to learn about command parameters. To learn about an individual command, run:
|
||||
|
||||
`help <command name>`
|
||||
@ -204,9 +243,8 @@ If you plan to use an unsigned script in the session, you'll need to enable the
|
||||
|
||||
`<command name> -type file -id <file path> - auto` or `remediate file <file path> - auto`.
|
||||
|
||||
|
||||
|
||||
## Supported output types
|
||||
|
||||
Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:
|
||||
|
||||
- `-output json`
|
||||
@ -215,8 +253,8 @@ Live response supports table and JSON format output types. For each command, the
|
||||
>[!NOTE]
|
||||
>Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
|
||||
|
||||
|
||||
## Supported output pipes
|
||||
|
||||
Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
|
||||
|
||||
Example:
|
||||
@ -225,27 +263,24 @@ Example:
|
||||
processes > output.txt
|
||||
```
|
||||
|
||||
|
||||
|
||||
## View the command log
|
||||
Select the **Command log** tab to see the commands used on the machine during a session.
|
||||
|
||||
Select the **Command log** tab to see the commands used on the device during a session.
|
||||
Each command is tracked with full details such as:
|
||||
- ID
|
||||
- Command line
|
||||
- Duration
|
||||
- Status and input or output side bar
|
||||
|
||||
|
||||
|
||||
|
||||
## Limitations
|
||||
|
||||
- Live response sessions are limited to 10 live response sessions at a time
|
||||
- Large scale command execution is not supported
|
||||
- A user can only initiate one session at a time
|
||||
- A machine can only be in one session at a time
|
||||
- There is a file size limit of 750mb when downloading files from a machine
|
||||
- A device can only be in one session at a time
|
||||
- There is a file size limit of 750mb when downloading files from a device
|
||||
|
||||
## Related topic
|
||||
## Related article
|
||||
- [Live response command examples](live-response-command-examples.md)
|
||||
|
||||
|
||||
|
||||
@ -15,6 +15,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 04/03/2020
|
||||
---
|
||||
|
||||
# JAMF-based deployment for Microsoft Defender ATP for Mac
|
||||
@ -73,17 +74,17 @@ You need to create a configuration profile and a policy to start deploying Micro
|
||||
|
||||
### Configuration Profile
|
||||
|
||||
The configuration profile contains a custom settings payload that includes:
|
||||
The configuration profile contains a custom settings payload that includes the following:
|
||||
|
||||
- Microsoft Defender ATP for Mac onboarding information
|
||||
- Approved Kernel Extensions payload, to enable running the Microsoft kernel driver
|
||||
- Approved Kernel Extensions payload to enable running the Microsoft kernel driver
|
||||
|
||||
To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list.
|
||||
To set the onboarding information, add a property list file that is named **jamf/WindowsDefenderATPOnboarding.plist** as a custom setting. To do this, select **Computers** > **Configuration Profiles** > **New**, and then select **Application & Custom Settings** > **Configure**. From there, you can upload the property list.
|
||||
|
||||
>[!IMPORTANT]
|
||||
> You must set the Preference Domain as "com.microsoft.wdav.atp"
|
||||
> You have to set the **Preference Domain** to **com.microsoft.wdav.atp**. There are some changes to the Custom Payloads and also to the Jamf Pro user interface in version 10.18 and later versions. For more information about the changes, see [Configuration Profile Payload Settings Specific to Jamf Pro](https://www.jamf.com/jamf-nation/articles/217/configuration-profile-payload-settings-specific-to-jamf-pro).
|
||||
|
||||
|
||||
|
||||
|
||||
### Approved Kernel Extension
|
||||
|
||||
|
||||
@ -73,39 +73,39 @@ below to onboard systems with Configuration Manager.
|
||||
|
||||
1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Right Click **Device Collection** and select **Create Device Collection**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. Provide a **Name** and **Limiting Collection**, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Select **Add Rule** and choose **Query Rule**.
|
||||
|
||||
|
||||
|
||||
|
||||
5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Select **Criteria** and then choose the star icon.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
|
||||
|
||||
|
||||
|
||||
|
||||
8. Select **Next** and **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
9. Select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
|
||||
|
||||
@ -123,7 +123,7 @@ Manager and deploy that policy to Windows 10 devices.
|
||||
|
||||
|
||||
|
||||
3. Select **Download package**.
|
||||
3. Select **Download package**.
|
||||
|
||||
|
||||
|
||||
@ -132,11 +132,11 @@ Manager and deploy that policy to Windows 10 devices.
|
||||
|
||||
6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
|
||||
|
||||
|
||||
|
||||
|
||||
7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
8. Click **Browse**.
|
||||
|
||||
|
||||
@ -292,18 +292,115 @@ You might also need to check the following:
|
||||
|
||||
- Check to see that machines are reflected in the **Machines list** in the portal.
|
||||
|
||||
## Confirming onboarding of newly built machines
|
||||
There may be instances when onboarding is deployed on a newly built machine but not completed.
|
||||
|
||||
## Licensing requirements
|
||||
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
|
||||
The steps below provide guidance for the following scenario:
|
||||
- Onboarding package is deployed to newly built machines
|
||||
- Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed
|
||||
- Machine is turned off or restarted before the end user performs a first logon
|
||||
- In this scenario, the SENSE service will not start automatically even though onboarding package was deployed
|
||||
|
||||
- Windows 10 Enterprise E5
|
||||
- Windows 10 Education E5
|
||||
- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5
|
||||
|
||||
For more information, see [Windows 10 Licensing](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx#tab=2).
|
||||
>[!NOTE]
|
||||
>The following steps are only relevant when using Microsoft Endpoint Configuration Manager (current branch)
|
||||
|
||||
|
||||
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshootonboarding-belowfoldlink)
|
||||
1. Create an application in Microsoft Endpoint Configuration Manager current branch.
|
||||
|
||||
|
||||
|
||||
2. Select **Manually specify the application information**.
|
||||
|
||||
|
||||
3. Specify information about the application, then select **Next**.
|
||||
|
||||
|
||||
4. Specify information about the software center, then select **Next**.
|
||||
|
||||
|
||||
5. In **Deployment types** select **Add**.
|
||||
|
||||
|
||||
6. Select **Manually specify the deployment type information**, then select **Next**.
|
||||
|
||||
|
||||
7. Specify information about the deployment type, then select **Next**.
|
||||
|
||||
|
||||
8. In **Content** > **Installation program** specify the command: `net start sense`.
|
||||
|
||||
|
||||
9. In **Detection method**, select **Configure rules to detect the presence of this deployment type**, then select **Add Clause**.
|
||||
|
||||
|
||||
|
||||
10. Specify the following detection rule details, then select **OK**:
|
||||
|
||||
|
||||
11. In **Detection method** select **Next**.
|
||||
|
||||
|
||||
12. In **User Experience**, specify the following information, then select **Next**:
|
||||
|
||||
|
||||
13. In **Requirements**, select **Next**.
|
||||
|
||||
|
||||
14. In **Dependencies**, select **Next**.
|
||||
|
||||
|
||||
15. In **Summary**, select **Next**.
|
||||
|
||||
|
||||
16. In **Completion**, select **Close**.
|
||||
|
||||
|
||||
|
||||
17. In **Deployment types**, select **Next**.
|
||||
|
||||
|
||||
|
||||
18. In **Summary**, select **Next**.
|
||||
|
||||
|
||||
The status is then displayed
|
||||
|
||||
|
||||
19. In **Completion**, select **Close**.
|
||||
|
||||
|
||||
|
||||
20. You can now deploy the application by right-clicking the app and selecting **Deploy**.
|
||||
|
||||
|
||||
|
||||
21. In **General** select **Automatically distribute content for dependencies** and **Browse**.
|
||||
|
||||
|
||||
22. In **Content** select **Next**.
|
||||
|
||||
|
||||
23. In **Deployment settings**, select **Next**.
|
||||
|
||||
|
||||
24. In **Scheduling** select **As soon as possible after the available time**, then select **Next**.
|
||||
|
||||
|
||||
25. In **User experience**, select **Commit changes at deadline or during a maintenance window (requires restarts)**, then select **Next**.
|
||||
|
||||
|
||||
26. In **Alerts** select **Next**.
|
||||
|
||||
|
||||
27. In **Summary**, select **Next**.
|
||||
|
||||
|
||||
The status is then displayed
|
||||
|
||||
|
||||
28. In **Completion**, select **Close**.
|
||||
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
Reference in New Issue
Block a user