You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/network-protection.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -180,7 +180,7 @@ Network protection is enabled per device, which is typically done using your man
180
180
> [!NOTE]
181
181
> Microsoft Defender Antivirus must be in active mode to enable network protection.
182
182
183
-
You can enable network protection in `audit` mode or `block` mode. If you want to evaluate the impact of enabling network protection before actually blocking IP addresses or URLs, you can enable network protection in audit mode, and gather data on what would be blocked. Audit mode logs whenever end users connect to an address or site that would otherwise have been blocked by network protection. Note that in order for indicators of compromise (IoC) or Web content filtering (WCF) to work, network protection must be in `block` mode.
183
+
You can enable network protection in `audit` mode or `block` mode. If you want to evaluate the impact of enabling network protection before actually blocking IP addresses or URLs, you can enable network protection in audit mode, and gather data on what would be blocked. Audit mode logs whenever end users connect to an address or site that would otherwise have been blocked by network protection. In order for indicators of compromise (IoC) or Web content filtering (WCF) to work, network protection must be in `block` mode.
184
184
185
185
For information about network protection for Linux and macOS see the following articles:
186
186
@@ -189,7 +189,7 @@ For information about network protection for Linux and macOS see the following a
189
189
190
190
## Advanced hunting
191
191
192
-
If you're using advanced hunting to identify audit events, you'll have up to 30 days history available from the console. See [Advanced hunting](/defender-xdr/advanced-hunting-overview).
192
+
If you're using advanced hunting to identify audit events, you have up to 30 days history available from the console. See [Advanced hunting](/defender-xdr/advanced-hunting-overview).
193
193
194
194
You can find the audit events in **Advanced hunting** in the Defender for Endpoint portal ([https://security.microsoft.com](https://security.microsoft.com)).
195
195
@@ -221,7 +221,7 @@ DeviceEvents
221
221
222
222
```
223
223
224
-
The Response category tells you what caused the event, for example:
224
+
The Response category tells you what caused the event, as in this example:
225
225
226
226
| ResponseCategory | Feature responsible for the event |
227
227
|:---|:---|
@@ -233,7 +233,7 @@ The Response category tells you what caused the event, for example:
233
233
234
234
For more information, see [Troubleshoot endpoint blocks](web-protection-overview.md#troubleshoot-endpoint-blocks).
235
235
236
-
Note that Microsoft Defender SmartScreen events for the Microsoft Edge browser specifically, needs a different query:
236
+
Microsoft Defender SmartScreen events for the Microsoft Edge browser specifically needs a different query:
237
237
238
238
```kusto
239
239
@@ -244,13 +244,13 @@ DeviceEvents
244
244
245
245
```
246
246
247
-
You can use the resulting list of URLs and IPs to determine what would have been blocked if the device was in block mode, and which feature blocked them. Review each item on the list to identify URLS or IPs whether any are necessary to your environment. If you find any entries that have been audited which are critical to your environment, create an Indicator to allow them in your network. Allow URL / IP indicators take precedence over any block.
247
+
You can use the resulting list of URLs and IPs to determine what would be blocked if network protection is set to block mode on the device. You can also see which features would block URLs and IPs. Review the list to identify any URLS or IPs that are necessary for your environment. You can then create an allow indicator for those URLs or IP addresses. Allow indicators take precedence over any blocks.
248
248
249
-
Once you've created an indicator, you can look at resolving the underlying issue:
249
+
Once you've created an indicator, you can look at resolving the underlying issue as follows:
250
250
251
251
- SmartScreen – request review
252
252
- Indicator – modify existing indicator
253
-
- MCA – review unsanctioned APP
253
+
- MCA – review unsanctioned app
254
254
- WCF – request recategorization
255
255
256
256
Using this data you can make an informed decision on enabling Network protection in Block mode. See [Order of precedence for Network protection blocks](web-protection-overview.md#order-of-precedence).
0 commit comments