deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 23:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into Issue3984

Browse Source
This commit is contained in:
Orlando Rodriguez
2019-08-06 16:03:02 -05:00
committed by GitHub
parent 30087dcbbe c63edc5fb7
commit ff0bf0775a
153 changed files with 2205 additions and 733 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
windows/security/threat-protection/TOC.md
View File

@ -52,6 +52,7 @@
##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
#### [Machines list]()
@ -104,7 +105,20 @@
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/overview-hunting.md)
#### [Query data using Advanced hunting](microsoft-defender-atp/advanced-hunting.md)
##### [Advanced hunting reference](microsoft-defender-atp/advanced-hunting-reference.md)
##### [Advanced hunting schema reference]()
###### [All tables in the Advanced hunting schema](microsoft-defender-atp/advanced-hunting-reference.md)
###### [AlertEvents table](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
###### [FileCreationEvents table](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
###### [ImageLoadEvents table](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
###### [LogonEvents table](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
###### [MachineInfo table](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
###### [MachineNetworkInfo table](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
###### [MiscEvents table](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
###### [NetworkCommunicationEvents table](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
###### [ProcessCreationEvents table](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
###### [RegistryEvents table](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
##### [Advanced hunting query language best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Custom detections]()
@ -129,7 +143,7 @@
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
## [Get started]()
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
@ -140,6 +154,9 @@
### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md)
### [Evaluate Microsoft Defender ATP]()
#### [Attack surface reduction and next-generation capability evaluation]()
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
@ -232,7 +249,7 @@
##### [Manage updates and apply baselines]()
###### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
###### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
###### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
###### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
###### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)

4
windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
View File

@ -38,7 +38,9 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
- To audit successful events, click **Success.**
- To audit failure events, click **Fail.**
- To audit all events, click **All.**
6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include:
- **This folder only**
@ -47,7 +49,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
- **This folder and files**
- **Subfolders and files only**
- **Subfolders only**
- **Files only**
- **Files only**
7. By default, the selected **Basic Permissions** to audit are the following:
- **Read and execute**

2
windows/security/threat-protection/index.md
View File

@ -67,7 +67,7 @@ The attack surface reduction set of capabilities provide the first line of defen
- [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
- [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
- [Attack surface reduction controls](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
- [Attack surface reduction rules](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
<a name="ngp"></a>

54
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md Normal file
View File

@ -0,0 +1,54 @@
---
title: AlertEvents table in the advanced hunting schema
description: Learn about the AlertEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, alertevent
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# AlertEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The AlertEvents table in the Advanced hunting schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| AlertId | string | Unique identifier for the alert |
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
| Category | string | Type of threat indicator or breach activity identified by the alert |
| Title | string | Title of the alert |
| FileName | string | Name of the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| RemoteIP | string | IP address that was being connected to |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| Table | string | Table that contains the details of the event |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

73
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md Normal file
View File

@ -0,0 +1,73 @@
---
title: FileCreationEvents table in the Advanced hunting schema
description: Learn about the FileCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, filecreationevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# FileCreationEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The FileCreationEvents table in the Advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| FileOriginUrl | string | URL where the file was downloaded from |
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
| FileOriginIP | string | IP address where the file was downloaded from |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

66
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md Normal file
View File

@ -0,0 +1,66 @@
---
title: ImageLoadEvents table in the Advanced hunting schema
description: Learn about the ImageLoadEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, imageloadevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# ImageLoadEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ImageLoadEvents table in the Advanced hunting schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

74
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md Normal file
View File

@ -0,0 +1,74 @@
---
title: LogonEvents table in the Advanced hunting schema
description: Learn about the LogonEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, logonevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# LogonEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The LogonEvents table in the Advanced hunting schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string |Type of activity that triggered the event |
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
| RemoteIP | string | IP address that was being connected to |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| RemotePort | int | TCP port on the remote device that was being connected to |
| AdditionalFields | string | Additional information about the event in JSON array format |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

55
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md Normal file
View File

@ -0,0 +1,55 @@
---
title: MachineInfo table in the Advanced hunting schema
description: Learn about the MachineInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machineinfo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# MachineInfo
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineInfo table in the Advanced hunting schema contains information about machines in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
| OSArchitecture | string | Architecture of the operating system running on the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
| OSBuild | string | Build version of the operating system running on the machine |
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
| RegistryMachineTag | string | Machine tag added through the registry |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| OSVersion | string | Version of the operating system running on the machine |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

56
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md Normal file
View File

@ -0,0 +1,56 @@
---
title: MachineNetworkInfo table in the Advanced hunting schema
description: Learn about the MachineNetworkInfo table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, machinenetworkinfo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# MachineNetworkInfo
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineNetworkInfo table in the Advanced hunting schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| NetworkAdapterName | string | Name of the network adapter |
| MacAddress | string | MAC address of the network adapter |
| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
| TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
| DnsAddresses | string | DNS server addresses in JSON array format |
| IPv4Dhcp | string | IPv4 address of DHCP server |
| IPv6Dhcp | string | IPv6 address of DHCP server |
| DefaultGateways | string | Default gateway addresses in JSON array format |
| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

87
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md Normal file
View File

@ -0,0 +1,87 @@
---
title: MiscEvents table in the advanced hunting schema
description: Learn about the MiscEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, miscEvents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# MiscEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MiscEvents table in the Advanced hunting schema contains information about multiple event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| AccountDomain | string | Domain of the account |
| AccountName |string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
| ProcessId | int | Process ID (PID) of the newly created process |
| ProcessCommandLine | string | Command line used to create the new process |
| ProcessCreationTime | datetime | Date and time the process was created |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
| RemoteIP | string | IP address that was being connected to |
| RemotePort | int | TCP port on the remote device that was being connected to |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| FileOriginUrl | string | URL where the file was downloaded from |
| FileOriginIP | string | IP address where the file was downloaded from |
| AdditionalFields | string | Additional information about the event in JSON array format |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

70
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md Normal file
View File

@ -0,0 +1,70 @@
---
title: NetworkCommunicationEvents table in the Advanced hunting schema
description: Learn about the NetworkCommunicationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, networkcommunicationevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# NetworkCommunicationEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The NetworkCommunicationEvents table in the Advanced hunting schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| RemoteIP | string | IP address that was being connected to |
| RemotePort | int | TCP port on the remote device that was being connected to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| Protocol | string | IP protocol used, whether TCP or UDP |
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

78
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md Normal file
View File

@ -0,0 +1,78 @@
---
title: ProcessCreationEvents table in the Advanced hunting schema
description: Learn about the ProcessCreationEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, processcreationevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# ProcessCreationEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ProcessCreationEvents table in the Advanced hunting schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| ProcessId | int | Process ID (PID) of the newly created process |
| ProcessCommandLine | string | Command line used to create the new process |
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| ProcessCreationTime | datetime | Date and time the process was created |
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

119
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-reference.md
View File

@ -1,6 +1,6 @@
---
title: Advanced hunting reference in Microsoft Defender ATP
description: Learn about Advanced hunting table reference such as column name, data type, and description
title: Advanced hunting schema reference
description: Learn about the tables in the advanced hunting schema
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 06/01/2018
ms.date: 07/24/2019
---
# Advanced hunting reference in Microsoft Defender ATP
@ -26,101 +26,28 @@ ms.date: 06/01/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
## Advanced hunting column reference
To effectively build queries that span multiple tables, you need to understand the columns in the Advanced hunting schema. The following table lists all the available columns, along with their data types and descriptions. This information is also available in the schema representation in the Advanced hunting screen.
## Advanced hunting table reference
| Column name | Data type | Description
:---|:--- |:---
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| ActionType | string | Type of activity that triggered the event |
| AdditionalFields | string | Additional information about the event in JSON array format |
| AlertId | string | Unique identifier for the alert |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| Category | string | Type of threat indicator or breach activity identified by the alert |
| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if its connected publicly to the internet. |
| DefaultGateways | string | Default gateway addresses in JSON array format |
| DnsAddresses | string | DNS server addresses in JSON array format |
| EventTime | datetime | Date and time when the event was recorded |
| FileName | string | Name of the file that the recorded action was applied to |
| FileOriginIp | string | IP address where the file was downloaded from |
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
| FileOriginUrl | string | URL where the file was downloaded from |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
| Ipv4Dhcp | string | IPv4 address of DHCP server |
| Ipv6Dhcp | string | IPv6 address of DHCP server |
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br>
| MacAddress | string | MAC address of the network adapter |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
| MachineId | string | Unique identifier for the machine in the service |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| NetworkAdapterName | string | Name of the network adapter |
| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). |
| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). |
| OSArchitecture | string | Architecture of the operating system running on the machine |
| OSBuild | string | Build version of the operating system running on the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| OsVersion | string | Version of the operating system running on the machine |
| PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
| PreviousRegistryValueType | string | Original data type of the registry value before it was modified |
| ProcessCommandline | string | Command line used to create the new process |
| ProcessCreationTime | datetime | Date and time the process was created |
| ProcessId | int | Process ID (PID) of the newly created process |
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| Protocol | string | IP protocol used, whether TCP or UDP |
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
| RemoteIP | string | IP address that was being connected to |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| RemotePort | int | TCP port on the remote device that was being connected to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
| RegistryMachineTag | string | Machine tag added through the registry |
| Table | string | Table that contains the details of the event |
| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
The Advanced hunting schema is made up of multiple tables that provide either event information or information about certain entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)
The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.
| Table name | Description |
|------------|-------------|
| **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center |
| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information |
| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events |
| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events |
| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events |
| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries |
| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
## Related topics
- [Query data using Advanced hunting](advanced-hunting.md)
- [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
- [Best practices for Advanced hunting query-writing](advanced-hunting-best-practices.md)

68
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md Normal file
View File

@ -0,0 +1,68 @@
---
title: RegistryEvents table in the Advanced hunting schema
description: Learn about the RegistryEvents table in the Advanced hunting schema, such as column names, data types, and descriptions
keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description, registryevents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: v-maave
author: martyav
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/24/2019
---
# RegistryEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The RegistryEvents table in the Advanced hunting schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
- [Advanced hunting query best practices](advanced-hunting-best-practices.md)
- [Query data using Advanced hunting](advanced-hunting.md)

96
windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Microsoft Defender ATP for US Government GCC High customers
description: Learn about the requirements and the available Microsoft Defender ATP capabilities for US Government CCC High customers
keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Defender ATP for US Government GCC High customers
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Microsoft Defender ATP in Azure Commercial.
This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some key differences in the availability of capabilities for this offering.
## Endpoint versions
The following OS versions are supported:
- Windows 10, version 1903
- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
- Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183))
- Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147))
- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
>[!NOTE]
>A patch must be deployed before machine onboarding in order to configure Microsoft Defender ATP to the correct environment.
The following OS versions are not supported:
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
- Windows 8 Pro
- Windows 8.1 Enterprise
- macOS
The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019:
## Threat & Vulnerability Management
Not currently available.
## Automated investigation and remediation
The following capabilities are not currently available:
- Response to Office 365 alerts
- Live response
## Management and APIs
The following capabilities are not currently available:
- Threat protection report
- Machine health and compliance report
- Integration with third-party products
## Integrations
Integrations with the following Microsoft products are not currently available:
- Azure Security Center
- Azure Advanced Threat Protection
- Azure Information Protection
- Office 365 Advanced Threat Protection
- Microsoft Cloud App Security
- Skype for Business
- Microsoft Intune (sharing of device information and enhanced policy enforcement)
## Microsoft Threat Experts
Not currently available.
## Required connectivity settings
You'll need to ensure that traffic from the following are allowed:
Service location | DNS record
:---|:---
Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br>```notify.windows.com```
Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com``` <br>```winatp-gw-usgt.microsoft.com```<br>```winatp-gw-usgv.microsoft.com```<br>```*.blob.core.usgovcloudapi.net```

2
windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
View File

@ -22,8 +22,6 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.

14
windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
View File

@ -22,14 +22,13 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
>[!NOTE]
>Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
Before you can track and manage onboarding of machines:
- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
## Discover and track unprotected machines
@ -39,8 +38,7 @@ The **Onboarding** card provides a high-level overview of your onboarding rate b
*Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine*
>[!NOTE]
>- If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
>- During preview, you might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
## Onboard more machines with Intune profiles
@ -66,10 +64,10 @@ From the overview, create a configuration profile specifically for the deploymen
3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.
![Profile assignment screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
*Assigning the new agent profile to all machines*
*Assigning the new profile to all machines*
>[!TIP]
>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/device-profile-assign).
>To learn more about Intune profiles, read about [assigning user and device profiles](https://docs.microsoft.com/intune/device-profile-assign).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)

30
windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
View File

@ -22,16 +22,15 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
>[!NOTE]
>Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management).
Before you can deploy and track compliance to security baselines:
- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
## Compare the Microsoft Defender ATP and the Windows Intune security baselines
The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
@ -44,17 +43,6 @@ Both baselines are maintained so that they complement one another and have ident
>[!NOTE]
>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
## Get permissions to manage security baselines in Intune
By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you havent been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create and assign a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with:
* Read permissions to the organization
* Full permissions to security baselines
![Security baseline permissions on Intune](images/secconmgmt_baseline_permissions.png)
*Security baseline permissions on Intune*
## Monitor compliance to the Microsoft Defender ATP security baseline
The **Security baseline** card on [machine configuration management](configure-machines.md) provides an overview of compliance across Windows 10 machines that have been assigned the Microsoft Defender ATP security baseline.
@ -71,10 +59,8 @@ Each machine is given one of the following status types:
To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines.
>[!NOTE]
>During preview, you might encounter a few known limitations:
>- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
>- The Microsoft Defender ATP security baseline currently doesnt cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
>[!NOTE]
>You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
## Review and assign the Microsoft Defender ATP security baseline
@ -83,7 +69,7 @@ Machine configuration management monitors baseline compliance only of Windows 10
1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
>[!TIP]
> Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines (preview) > PREVIEW: Windows Defender ATP baseline**.
> Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**.
2. Create a new profile.
@ -101,10 +87,10 @@ Machine configuration management monitors baseline compliance only of Windows 10
![Security baseline profiles on Intune](images/secconmgmt_baseline_intuneprofile3.png)<br>
*Assigning the security baseline profile on Intune*
5. Save the profile and deploy it to the assigned machine group.
5. Create the profile to save it and deploy it to the assigned machine group.
![Assigning the security baseline on Intune](images/secconmgmt_baseline_intuneprofile4.png)<br>
*Saving and deploying the security baseline profile on Intune*
*Creating the security baseline profile on Intune*
>[!TIP]
>Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).

23
windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
View File

@ -22,8 +22,6 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines:
@ -47,7 +45,7 @@ In doing so, you benefit from:
Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
>[!NOTE]
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
@ -55,12 +53,21 @@ Before you can ensure your machines are configured properly, enroll them to Intu
>[!TIP]
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
## Known issues and limitations in this preview
During preview, you might encounter a few known limitations:
- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines.
- The Microsoft Defender ATP security baseline currently doesnt cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
## Obtain required permissions
By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding machines and deploying the security baseline.
If you have been assigned other roles, ensure you have the necessary permissions:
- Full permissions to device configurations
- Full permissions to security baselines
- Read permissions to device compliance policies
- Read permissions to the organization
![Required permissions on intune](images/secconmgmt_intune_permissions.png)<br>
*Device configuration permissions on Intune*
>[!TIP]
>To learn more about assigning permissions on Intune, [read about creating custom roles](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role).
## In this section
Topic | Description

123
windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
View File

@ -1,6 +1,8 @@
---
title: Configure managed security service provider support
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -21,9 +23,11 @@ ms.date: 09/03/2018
# Configure managed security service provider integration
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
[!include[Prerelease information](prerelease.md)]
@ -35,19 +39,23 @@ You'll need to take the following configuration steps to enable the managed secu
> - MSSP customers: Organizations that engage the services of MSSPs.
The integration will allow MSSPs to take the following actions:
- Get access to MSSP customer's Microsoft Defender Security Center portal
- Get access to MSSP customer's Windows Defender Security Center portal
- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal.
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
In general, the following configuration steps need to be taken:
- **Grant the MSSP access to Microsoft Defender Security Center** <br>
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant.
- **Grant the MSSP access to Windows Defender Security Center** <br>
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant.
- **Configure alert notifications sent to MSSPs** <br>
This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
@ -61,31 +69,36 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
## Grant the MSSP access to the portal
>[!NOTE]
>[!NOTE]
> These set of steps are directed towards the MSSP customer. <br>
> Access to the portal can only be done by the MSSP customer.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Microsoft Defender Security Center.
As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center.
Authentication and authorization of the MSSP user is built on top of Azure Active Directory (Azure AD) B2B functionality.
You'll need to take the following 2 steps:
- Add MSSP user to your tenant as a guest user
- Grant MSSP user access to Microsoft Defender Security Center
- Grant MSSP user access to Windows Defender Security Center
### Add MSSP user to your tenant as a guest user
Add a user who is a member of the MSSP tenant to your tenant as a guest user.
To grant portal access to the MSSP, you must add the MSSP user to your Azure AD as a guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/add-users-administrator).
### Grant MSSP user access to Microsoft Defender Security Center
Grant the guest user access and permissions to your Microsoft Defender Security Center tenant.
### Grant MSSP user access to Windows Defender Security Center
Grant the guest user access and permissions to your Windows Defender Security Center tenant.
Granting access to guest user is done the same way as granting access to a user who is a member of your tenant.
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md).
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md).
>[!NOTE]
>There is no difference between the Member user and Guest user roles from RBAC perspective.
@ -94,12 +107,14 @@ It is recommended that groups are created for MSSPs to make authorization access
As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups.
## Access the Microsoft Defender Security Center MSSP customer portal
## Access the Windows Defender Security Center MSSP customer portal
>[!NOTE]
>[!NOTE]
>These set of steps are directed towards the MSSP.
By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
By default, MSSP customers access their Windows Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
@ -123,7 +138,9 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I
After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
For more information, see [Create rules for alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md#create-rules-for-alert-notifications).
These check boxes must be checked:
- **Include organization name** - The customer name will be added to email notifications
@ -141,46 +158,49 @@ To fetch alerts into your SIEM system you'll need to take the following steps:
Step 1: Create a third-party application
Step 2: Get access and refresh tokens from your customer's tenant
Step 3: Whitelist your application on Microsoft Defender Security Center
Step 3: Whitelist your application on Windows Defender Security Center
### Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant.
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
2. Select **Azure Active Directory** > **App registrations**.
3. Click **New application registration**.
3. Click **New registration**.
4. Specify the following values:
- Name: \<Tenant_name\> SIEM MSSP Connector (replace Tenant_name with the tenant display name)
- Application type: Web app / API
- Sign-on URL: `https://SiemMsspConnector`
- Supported account types: Account in this organizational directory only
- Redirect URI: Select Web and type `https://<domain_name>/SiemMsspConnector`(replace <domain_name> with the tenant name)
5. Click **Create**. The application is displayed in the list of applications you own.
5. Click **Register**. The application is displayed in the list of applications you own.
6. Select the application, then click **Settings** > **Properties**.
6. Select the application, then click **Overview**.
7. Copy the value from the **Application ID** field.
7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step.
8. Change the value in the **App ID URI** to: `https://<domain_name>/SiemMsspConnector` (replace \<domain_name\> with the tenant name.
8. Select **Certificate & secrets** in the new application panel.
9. Ensure that the **Multi-tenanted** field is set to **Yes**.
9. Click **New client secret**.
10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`.
11. Click **Save**.
12. Select **Keys** and specify the following values:
- Description: Enter a description for the key.
- Expires: Select **In 1 year**
13. Click **Save**. Save the value is a safe place, you'll need this
10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step.
### Step 2: Get access and refresh tokens from your customer's tenant
This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.
@ -248,17 +268,20 @@ After providing your credentials, you'll need to grant consent to the applicatio
`Set-ExecutionPolicy -ExecutionPolicy Bypass`
6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>`
- Replace \<client_id\> with the Application ID you got from the previous step.
- Replace \<app_key\> with the application key you created from the previous step.
- Replace \<customer_tenant_id\> with your customer's tenant ID.
- Replace \<client_id\> with the **Application (client) ID** you got from the previous step.
- Replace \<app_key\> with the **Client Secret** you created from the previous step.
- Replace \<customer_tenant_id\> with your customer's **Tenant ID**.
7. You'll be asked to provide your credentials and consent. Ignore the page redirect.
8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector.
### Step 3: Whitelist your application on Microsoft Defender Security Center
You'll need to whitelist the application you created in Microsoft Defender Security Center.
### Step 3: Whitelist your application on Windows Defender Security Center
You'll need to whitelist the application you created in Windows Defender Security Center.
You'll need to have **Manage portal system settings** permission to whitelist the application. Otherwise, you'll need to request your customer to whitelist the application for you.
@ -272,17 +295,21 @@ You'll need to have **Manage portal system settings** permission to whitelist th
5. Click **Authorize application**.
You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md).
- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value.
- Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
## Fetch alerts from MSSP customer's tenant using APIs
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md).
For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md).
## Related topics
- [Use basic permissions to access the portal](basic-permissions.md)
- [Manage portal access using RBAC](rbac.md)
- [Pull alerts to your SIEM tools](configure-siem.md)
- [Pull alerts using REST API](pull-alerts-using-rest-api.md)
- [Use basic permissions to access the portal](basic-permissions-windows-defender-advanced-threat-protection.md)
- [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
- [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
- [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)

59
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -31,7 +31,10 @@ The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to r
The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
>[!TIP]
>For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md).
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
- Auto-discovery methods:
- Transparent proxy
@ -45,6 +48,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Registry based configuration
- WinHTTP configured using netsh command Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.
@ -175,56 +180,6 @@ However, if the connectivity check results indicate a failure, an HTTP error is
> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Conduct investigations with Microsoft Defender ATP behind a proxy
Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet.
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor.
By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names. <br><br>
**Investigation Impact**<br>
In machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
![Image of network events on machine's timeline](images/atp-proxy-investigation.png)<br>
Additional events triggered by the Network Protection layer are now available to surface the real domain names even behind a proxy. <br>
Event's information:
![Image of single network event](images/atp-proxy-investigation-event.png)<br>
**Advanced Hunting**<br>
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ConnecionSuccess action type.<br>
Using this simple query will show you all the relevant events:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess"
| take 10
```
![Image of advanced hunting query](images/atp-proxy-investigation-ah.png)
You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10
```
**How to enable the advanced network connection sensor**<br>
Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machines timeline you need to turn Network Protection on at least in audit mode. <br>
Network protection is a feature in Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Its behavior can be controlled by the following options: Block and Audit. <br>
If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.<br>
If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.<br>
If you turn this policy off, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.<br>
If you do not configure this policy, network blocking will be disabled by default. <br><br>
> [!NOTE]
> In order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode.
Additional documentation:
- [Applying network protection with GP policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
- [Windows Defender Exploit Guard Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet)
## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

9
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -139,13 +139,18 @@ Agent Resource | Ports
## Windows Server, version 1803 and Windows Server 2019
To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
>[!NOTE]
>The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.comsccm/apps/deploy-use/packages-and-programs).
Supported tools include:
- Local script
- Group Policy
- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
- VDI onboarding scripts for non-persistent machines
For more information, see [Onboard Windows 10 machines](configure-endpoints.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
@ -162,7 +167,7 @@ Supported tools include:
c. Confirm that a recent event containing the passive mode event is found:
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
3. Run the following command to check if Windows Defender AV is installed:

2
windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
View File

@ -61,7 +61,7 @@ machineId | String | Id of the machine on which the event was identified. **Requ
severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
title | String | Title for the alert. **Required**.
description | String | Description of the alert. **Required**.
recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert.
recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
reportId | String | The reportId, as obtained from the advanced query. **Required**.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.

4
windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
View File

@ -49,7 +49,7 @@ The Microsoft Defender ATP service utilizes state of the art data protection tec
There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview).
In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
## Do I have the flexibility to select where to store my data?
@ -80,7 +80,7 @@ No. Customer data is isolated from other customers and is not shared. However, i
You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. Theres a flexibility of choosing in the range of 1 month to six months to meet your companys regulatory compliance needs.
**At contract termination or expiration**<br>
Your data will be kept and will be available to you while the licence is under grace period or suspended mode. At the end of this period, that data will be erased from Microsofts systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsofts systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
## Can Microsoft help us maintain regulatory compliance?

11
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -20,6 +20,8 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
@ -63,6 +65,9 @@ The machine will automatically be onboarded to your tenant with the recommended
Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md).
>[!NOTE]
>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
1. In the navigation pane, select **Evaluation and tutorials > Evaluation lab**.
@ -72,7 +77,7 @@ Automated investigation settings will be dependent on tenant settings. It will b
3. Select **Add machine**.
>[!NOTE]
>[!WARNING]
> The evaluation environment can only be provisioned up to three test machines. Each machine will only be available for three days from the day of activation.
![Image of add machine](images/evaluation-add-machine.png)
@ -89,6 +94,7 @@ Automated investigation settings will be dependent on tenant settings. It will b
The environment will reflect your test machine status through the evaluation - including risk score, exposure score, and alerts created through the simulation.
![Image of test machines](images/eval-lab-dashboard.png)
## Simulate attack scenarios
@ -98,6 +104,9 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
You can also use [Advanced hunting](advanced-hunting.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats.
>[!NOTE]
>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
1. Connect to your machine and run an attack simulation by selecting **Connect**.
![Image of the connect button for test machines](images/test-machine-table.png)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 125 KiB

After

Width:  |  Height:  |  Size: 138 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 64 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 70 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 49 KiB

After

Width:  |  Height:  |  Size: 62 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_permissions.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 75 KiB

After

Width:  |  Height:  |  Size: 103 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_2deviceconfprofile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_3assignprofile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 19 KiB

After

Width:  |  Height:  |  Size: 31 KiB

2
windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
View File

@ -23,6 +23,8 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
>[!TIP]

89
windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Investigate connection events that occur behind forward proxies
description: Investigate connection events that occur behind forward proxies
keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Investigate connection events that occur behind forward proxies
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet.
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value.
Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names.
## Use network protection to monitor network connection behind a firewall
Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a machine timeline, turn network protection on (at the minimum in audit mode).
Network protection can be controlled using the following modes:
- **Block** <br> Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
- **Audit** <br> Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
If you turn network protection off, users or apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.
If you do not configure it, network blocking will be turned off by default.
For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection).
## Investigation impact
When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
![Image of network events on machine's timeline](images/atp-proxy-investigation.png)
Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy.
Event's information:
![Image of single network event](images/atp-proxy-investigation-event.png)
## Hunt for connection events using advanced hunting
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the `ConnecionSuccess` action type.
Using this simple query will show you all the relevant events:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess"
| take 10
```
![Image of advanced hunting query](images/atp-proxy-investigation-ah.png)
You can also filter out events that are related to connection to the proxy itself.
Use the following query to filter out the connections to the proxy:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10
```
## Related topics
- [Applying network protection with GP - policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
- [Protect your network](https://docs.microsoft.comwindows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

4
windows/security/threat-protection/microsoft-defender-atp/onboard.md
View File

@ -33,8 +33,8 @@ Topic | Description
[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
[Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP.
Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others.

2
windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
View File

@ -46,7 +46,7 @@ The Microsoft secure score tile is reflective of the sum of all the Microsoft De
Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
In the example image, the total points for the Windows security controls and Office 365 add up to 602 points.

1
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -44,6 +44,7 @@ The following features are included in the preview release:
- [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) <BR> You can now onboard Windows Server 2008 R2 SP1.
- [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac) <BR> Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.

11
windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
View File

@ -20,7 +20,7 @@ ms.date: 07/13/2017
# Increase scheduling priority
**Applies to**
- Windows 10
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Increase scheduling priority** security policy setting.
@ -45,7 +45,7 @@ Constant: SeIncreaseBasePriorityPrivilege
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
 
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@ -81,7 +81,12 @@ Verify that only Administrators and Window Manager/Window Manager Group have the
None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager/Window Manager Group is the default configuration.
> [!Warning]
> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
>
> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11))
- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11))

10
windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Apply Windows Defender Antivirus updates after certain events
description: Manage how Windows Defender Antivirus applies protection updates after startup or receiving cloud-delivered detection reports.
description: Manage how Windows Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
keywords: updates, protection, force updates, events, startup, check for latest, notifications
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -32,7 +32,7 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**.
3. Click **OK**.
@ -99,9 +99,9 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**.
5. Double-click **Initiate definition update on startup** and set the option to **Enabled**.
5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
6. Click **OK**.
@ -143,7 +143,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
1. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
> [!NOTE]

8
windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
View File

@ -36,10 +36,10 @@ If Windows Defender Antivirus did not download protection updates for a specifie
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Definition updates** section and configure the following settings:
2. Go to the **Security intelligence updates** section and configure the following settings:
1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
3. Click **OK**.
@ -55,7 +55,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
6. Click **OK**.

14
windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
View File

@ -37,13 +37,13 @@ You can also randomize the times when each endpoint checks and downloads protect
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Definition updates** section.
2. Go to the **Security intelligence updates** section.
3. To check and download updates at a certain time:
1. Set **Check for Endpoint Protection definitions at a specific interval...** to **0**.
2. Set **Check for Endpoint Protection definitions daily at...** to the time when updates should be checked.
1. Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to **0**.
2. Set **Check for Endpoint Protection security intelligence updates daily at...** to the time when updates should be checked.
3
4. To check and download updates on a continual interval, Set **Check for Endpoint Protection definitions at a specific interval...** to the number of hours that should occur between updates.
4. To check and download updates on a continual interval, Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to the number of hours that should occur between updates.
5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
@ -60,9 +60,9 @@ You can also randomize the times when each endpoint checks and downloads protect
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.

4
windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -93,7 +93,7 @@ The procedures in this article first describe how to set the order, and then how
4. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
1. Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.
1. Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.
2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
@ -101,7 +101,7 @@ The procedures in this article first describe how to set the order, and then how
3. Click **OK**. This will set the order of protection update sources.
4. Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.
4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths then this source will be skipped when the VM downloads updates.

6
windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
View File

@ -56,7 +56,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
6. Double-click the **Allow definition updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
**Use a VBScript to opt-in to Microsoft Update**
@ -75,7 +75,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
**Use Group Policy to prevent definition updates on battery power:**
**Use Group Policy to prevent security intelligence updates on battery power:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -85,7 +85,7 @@ You can configure Windows Defender Antivirus to only download protection updates
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting:
1. Double-click the **Allow definition updates when running on battery power** setting and set the option to **Disabled**.
1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**.
2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.

2
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
View File

@ -94,7 +94,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Protection |Do a quick scan |`mdatp --scan --quick` |
|Protection |Do a full scan |`mdatp --scan --full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
|Protection |Request a definition update |`mdatp --definition-update` |
|Protection |Request a security intelligence update |`mdatp --definition-update` |
## Microsoft Defender ATP portal information

10
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
View File

@ -1487,7 +1487,7 @@ Symbolic name:
Message:
</td>
<td >
<b>The antimalware definition update failed.
<b>The security intelligence update failed.
</b>
</td>
</tr>
@ -1498,12 +1498,12 @@ Description:
<td >
Windows Defender Antivirus has encountered an error trying to update signatures.
<dl>
<dt>New Signature Version: &lt;New version number&gt;</dt>
<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
<dt>New security intelligence version: &lt;New version number&gt;</dt>
<dt>Previous security intelligence version: &lt;Previous version&gt;</dt>
<dt>Update Source: &lt;Update source&gt;, for example:
<ul>
<li>Signature update folder</li>
<li>Internal definition update server</li>
<li>Security intelligence update folder</li>
<li>Internal security intelligence update server</li>
<li>Microsoft Update Server</li>
<li>File share</li>
<li>Microsoft Malware Protection Center (MMPC)</li>

20
windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
View File

@ -124,20 +124,20 @@ Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled
Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Security intelligence updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Allow real-time definition updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Define file shares for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days after which a catch up definition update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define the order of sources for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Initiate definition update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)

2
windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
View File

@ -85,7 +85,7 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
<a id="definition-version"></a>
**Review the definition update version and download the latest updates in the Windows Security app**
**Review the security intelligence update version and download the latest updates in the Windows Security app**
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).

8
windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md
View File

@ -52,10 +52,10 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD
- Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe)
- One or the other, not both at the same time
- Does not support wildcard in the middle (ex. C:\\*\foo.exe)
- Examples:
- %WINDIR%\\...
- %SYSTEM32%\\...
- %OSDRIVE%\\...
- Supported Macros:
- %WINDIR%\\...
- %SYSTEM32%\\...
- %OSDRIVE%\\...
- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy:

13
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: dansimp
audience: ITPro
ms.date: 04/09/2019
ms.reviewer:
manager: dansimp
@ -149,6 +150,11 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" />
<!-- msxml3.dll pick correct version based on release you are supporting -->
<!-- msxml6.dll pick correct version based on release you are supporting -->
<!-- jscript9.dll pick correct version based on release you are supporting -->
@ -885,6 +891,10 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
<FileRuleRef RuleID="ID_DENY_MSBUILD_DLL" />
<FileRuleRef RuleID="ID_DENY_DOTNET" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD_FMWK" />
<FileRuleRef RuleID="ID_DENY_D_1"/>
<FileRuleRef RuleID="ID_DENY_D_2"/>
<FileRuleRef RuleID="ID_DENY_D_3"/>
@ -1499,6 +1509,5 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<CiSigners />
<HvciOptions>0</HvciOptions>
</SiPolicy>
```
```
<br />

12
windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -29,11 +29,13 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode.
| Policy name | Supported versions | Description |
|-------------------------------------------------|--------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. |
| Enterprise resource domains hosted in the cloud | At least Windows Server 2012, Windows 8, or Windows RT | A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. |
| Domains categorized as both work and personal | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. |
|Policy name|Supported versions|Description|
|-----------|------------------|-----------|
|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, include a full domain name (for example "**contoso.com**") in the configuration. 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (when there is more than one subdomain). Configuring "**.constoso.com**" will automatically trust "**subdomain1.contoso.com**", "**subdomain2.contoso.com**", etc. 3) To trust a subdomain, precede your domain with two dots, for example "**..contoso.com**". |
|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.|
## Application-specific settings
These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard.

21
windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
View File

@ -19,29 +19,12 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Review system requirements
See [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard.
>[!NOTE]
>Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
### Hardware requirements
Your environment needs the following hardware to run Windows Defender Application Guard.
|Hardware|Description|
|--------|-----------|
|64-bit CPU|A 64-bit computer with minimum 4 cores is required for the hypervisor. For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
|Hardware memory|Microsoft requires a minimum of 8GB RAM|
|Hard disk|5 GB free space, solid state disk (SSD) recommended|
|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
### Software requirements
Your environment needs the following software to run Windows Defender Application Guard.
|Software|Description|
|--------|-----------|
|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803|
|Browser|Microsoft Edge and Internet Explorer|
|Management system<br> (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
## Prepare for Windows Defender Application Guard

41
windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -11,8 +11,9 @@ ms.pagetype: security
ms.localizationpriority: medium
author: levinec
ms.author: ellevin
ms.date: 11/29/2018
ms.reviewer:
audience: ITPro
ms.date: 08/05/2019
ms.reviewer: v-maave
manager: dansimp
---
@ -22,14 +23,17 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders.
This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
Apps can also be manually added to the trusted list via SCCM and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
@ -43,13 +47,13 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
## Review controlled folder access events in the Microsoft Defender ATP Security Center
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
Here is an example query
```
```PowerShell
MiscEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
```
@ -60,15 +64,15 @@ You can review the Windows event log to see events that are created when control
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**.
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
1. On the left panel, under **Actions**, click **Import custom view...**.
4. Click **OK**.
1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
5. This will create a custom view that filters to only show the following events related to controlled folder access:
1. Click **OK**.
1. This will create a custom view that filters to only show the following events related to controlled folder access:
Event ID | Description
-|-
@ -76,10 +80,9 @@ Event ID | Description
1124 | Audited controlled folder access event
1123 | Blocked controlled folder access event
## In this section
## In this section
Topic | Description
Topic | Description
---|---
[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network

2
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -53,6 +53,8 @@ For more information about disabling local list merging, see [Prevent or allow u
>If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
>If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive.
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.

14
windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -11,8 +11,8 @@ ms.pagetype: security
ms.localizationpriority: medium
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
ms.reviewer:
audience: ITPro
manager: dansimp
---
@ -36,13 +36,15 @@ You can enable network protection by using any of these methods:
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
2. Click **Device configuration** > **Profiles** > **Create profile**.
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](images/create-endpoint-protection-profile.png)
1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
4. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
![Enable network protection in Intune](images/enable-np-intune.png)
1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
5. Click **OK** to save each open blade and click **Create**.
6. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM

2
windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -183,7 +183,7 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f
> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
> [!NOTE]
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1709.
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.
The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.

2
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -88,7 +88,7 @@ Where:
For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
```PowerShell
Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
```
You can disable audit mode by replacing `-Enable` with `-Disable`.