mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-23 22:33:41 +00:00
9.6 KiB
9.6 KiB
title, description, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author, ms.author
| title | description | keywords | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | localizationpriority | author | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Use Attack Surface Reduction rules to prevent malware infection | ASR rules can help prevent exploits from using apps and scripts to infect machines with malware | Attack Surface Reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention | eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | iaanw | iawilt |
Reduce attack surfaces with Windows Defender Exploit Guard
Applies to:
- Windows 10 Insider Preview
Audience
- Enterprise security administrators
Manageability available with
- Group Policy
- PowerShell
- Configuration service providers for mobile device management
ASR
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
<EventId>1121,1122,5007</EventId>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Attack Surface Reduction view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1121 or EventID=1122 or EventID=5007)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>
CFA
<ViewerConfig><QueryConfig><QueryParams><Simple><Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel><EventId>1123,1124,5007</EventId><RelativeTimeInfo>0</RelativeTimeInfo><BySource>False</BySource></Simple></QueryParams><QueryNode><Name>Controlled Folder Access view</Name><QueryList><Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational"><Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select><Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select></Query></QueryList></QueryNode></QueryConfig></ViewerConfig>
EP
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Security-Mitigations/KernelMode,Microsoft-Windows-Win32k/Concurrency,Microsoft-Windows-Win32k/Contention,Microsoft-Windows-Win32k/Messages,Microsoft-Windows-Win32k/Operational,Microsoft-Windows-Win32k/Power,Microsoft-Windows-Win32k/Render,Microsoft-Windows-Win32k/Tracing,Microsoft-Windows-Win32k/UIPI,System,Microsoft-Windows-Security-Mitigations/UserMode</Channel>
<EventId>1-24, 5, 260</EventId>
<Source>Microsoft-Windows-Security-Mitigations,Microsoft-Windows-WER-Diag,Microsoft-Windows-Win32k,Win32k</Source>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>True</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Exploit protection view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Security-Mitigations/KernelMode">
<Select Path="Microsoft-Windows-Security-Mitigations/KernelMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Concurrency">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Contention">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Messages">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Operational">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Power">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Render">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/Tracing">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Win32k/UIPI">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="System">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
<Select Path="Microsoft-Windows-Security-Mitigations/UserMode">*[System[Provider[@Name='Microsoft-Windows-Security-Mitigations' or @Name='Microsoft-Windows-WER-Diag' or @Name='Microsoft-Windows-Win32k' or @Name='Win32k'] and ( (EventID >= 1 and EventID <= 24) or EventID=5 or EventID=260)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
<ResultsConfig>
<Columns>
<Column Name="Level" Type="System.String" Path="Event/System/Level" Visible="">255</Column>
<Column Name="Keywords" Type="System.String" Path="Event/System/Keywords">70</Column>
<Column Name="Date and Time" Type="System.DateTime" Path="Event/System/TimeCreated/@SystemTime" Visible="">305</Column>
<Column Name="Source" Type="System.String" Path="Event/System/Provider/@Name" Visible="">215</Column>
<Column Name="Event ID" Type="System.UInt32" Path="Event/System/EventID" Visible="">215</Column>
<Column Name="Task Category" Type="System.String" Path="Event/System/Task" Visible="">215</Column>
<Column Name="User" Type="System.String" Path="Event/System/Security/@UserID">50</Column>
<Column Name="Operational Code" Type="System.String" Path="Event/System/Opcode">110</Column>
<Column Name="Log" Type="System.String" Path="Event/System/Channel">80</Column>
<Column Name="Computer" Type="System.String" Path="Event/System/Computer">170</Column>
<Column Name="Process ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessID">70</Column>
<Column Name="Thread ID" Type="System.UInt32" Path="Event/System/Execution/@ThreadID">70</Column>
<Column Name="Processor ID" Type="System.UInt32" Path="Event/System/Execution/@ProcessorID">90</Column>
<Column Name="Session ID" Type="System.UInt32" Path="Event/System/Execution/@SessionID">70</Column>
<Column Name="Kernel Time" Type="System.UInt32" Path="Event/System/Execution/@KernelTime">80</Column>
<Column Name="User Time" Type="System.UInt32" Path="Event/System/Execution/@UserTime">70</Column>
<Column Name="Processor Time" Type="System.UInt32" Path="Event/System/Execution/@ProcessorTime">100</Column>
<Column Name="Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@ActivityID">85</Column>
<Column Name="Relative Correlation Id" Type="System.Guid" Path="Event/System/Correlation/@RelatedActivityID">140</Column>
<Column Name="Event Source Name" Type="System.String" Path="Event/System/Provider/@EventSourceName">140</Column>
</Columns>
</ResultsConfig>
</ViewerConfig>
NP
<ViewerConfig>
<QueryConfig>
<QueryParams>
<Simple>
<Channel>Microsoft-Windows-Windows Defender/Operational,Microsoft-Windows-Windows Defender/WHC</Channel>
<EventId>1125,1126,5007</EventId>
<RelativeTimeInfo>0</RelativeTimeInfo>
<BySource>False</BySource>
</Simple>
</QueryParams>
<QueryNode>
<Name>Network Protection view</Name>
<QueryList>
<Query Id="0" Path="Microsoft-Windows-Windows Defender/Operational">
<Select Path="Microsoft-Windows-Windows Defender/Operational">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
<Select Path="Microsoft-Windows-Windows Defender/WHC">*[System[(EventID=1125 or EventID=1126 or EventID=5007)]]</Select>
</Query>
</QueryList>
</QueryNode>
</QueryConfig>
</ViewerConfig>