From b2a43a1b20ffa3582f3030f51c56093aa39f3042 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 23 Oct 2018 15:42:31 -0700 Subject: [PATCH 1/2] add firewall events --- ...chines-windows-defender-advanced-threat-protection.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 74a365a6b4..0d6147cd7b 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -114,6 +114,15 @@ Use the search bar to look for specific timeline events. Harness the power of us Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed. + +>[!NOTE] +> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection). +>Firewall covers the following events: +>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection +>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network +>- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped + + - **User account** – Click the drop-down button to filter the machine timeline by the following user associated events: - Logon users - System From 6ce0f557261e335993f5c621c7f2cbf1f17fa244 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 24 Oct 2018 10:56:27 -0700 Subject: [PATCH 2/2] update --- ...-machines-windows-defender-advanced-threat-protection.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 0d6147cd7b..cc74d3e88b 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -118,9 +118,11 @@ Use the search bar to look for specific timeline events. Harness the power of us >[!NOTE] > For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-filtering-platform-connection). >Firewall covers the following events: ->- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection ->- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network >- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped +>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network +>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection + + - **User account** – Click the drop-down button to filter the machine timeline by the following user associated events: