Merge branch 'mansa' of https://github.com/tarTech23/defender-docs-pr into mansa

tarTech23 · tarTech23 · commit e1ae7f4517d8 · 2024-11-07T11:59:37.000+02:00
diff --git a/defender-endpoint/troubleshoot-asr.md b/defender-endpoint/troubleshoot-asr.md
@@ -6,7 +6,7 @@ ms.localizationpriority: medium
 audience: ITPro
 author: denisebmsft
 ms.author: deniseb
-ms.date: 07/28/2023
+ms.date: 11/05/2024
 ms.reviewer:
 manager: deniseb
 ms.custom: asr
@@ -33,8 +33,8 @@ search.appverid: met150
 
 When you use [attack surface reduction rules](attack-surface-reduction.md) you might run into issues, such as:
 
-- A rule blocks a file, process, or performs some other action that it shouldn't (false positive)
-- A rule doesn't work as described, or doesn't block a file or process that it should (false negative)
+- A rule blocks a file, process, or performs some other action that it shouldn't (false positive); or
+- A rule doesn't work as described, or doesn't block a file or process that it should (false negative).
 
 There are four steps to troubleshooting these problems:
 
@@ -47,41 +47,43 @@ There are four steps to troubleshooting these problems:
 
 Attack surface reduction rules only work on devices with the following conditions:
 
-- Endpoints are running Windows 10 Enterprise or later.
+- Devices are running Windows 10 Enterprise or later.
+- Devices are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app causes Microsoft Defender Antivirus to disable itself](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+- [Real-time protection](/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) is enabled.
+- Audit mode isn't enabled. Use Group Policy to set the rule to `Disabled` (value: `0`) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
-- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app causes Microsoft Defender Antivirus to disable itself](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+If these prerequisites are met, proceed to the next step to test the rule in audit mode.
 
-- [Real-time protection](/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) is enabled.
+## Best practices when setting up attack surface reduction rules using Group Policy
 
-- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
+When setting up the attack surface reduction rules by using Group Policy, here are a few best practices to avoid making common mistakes:
 
-If these prerequisites are met, proceed to the next step to test the rule in audit mode.
+1. Make sure when adding the GUID for attack surface reduction rules, there are **no double quotes** (like this: "ASR Rules GUID") at the beginning or at the end of the GUID.
+
+2. Make sure that there are **no spaces** at the beginning or at the end when adding the GUID for attack surface reduction rules.
 
 ## Use audit mode to test the rule
 
 Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](attack-surface-reduction-rules-deployment-test.md) to test the specific rule you're encountering problems with.
 
-1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but allows it to run.
-
-2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
+1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to `Audit mode` (value: `2`) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but allows it to run.
 
-3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would block the file or process if the rule were set to **Enabled**.
+2. Perform the activity that is causing an issue. For example, open the file or run the process that should be blocked, but is allowed.
 
-If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled.
+3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would block the file or process if the rule were set to `Enabled`.
 
-Audit mode might be enabled for testing another feature, or by an automated PowerShell script, and might not be disabled after the tests were completed.
+   If a rule isn't blocking a file or process that you're expecting it should block, first check to see if audit mode is enabled. Audit mode might be enabled for testing another feature, or by an automated PowerShell script, and might not be disabled after the tests were completed. 
 
 If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on preconfigured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation:
 
-1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
-
-2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
+- If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
+- If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
 
 ## Add exclusions for a false positive
 
 If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
 
-To add an exclusion, see [Customize Attack surface reduction](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules).
+To add an exclusion, see [Customize attack surface reduction](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules).
 
 > [!IMPORTANT]
 > You can specify individual files and folders to be excluded, but you cannot specify individual rules.
@@ -95,7 +97,7 @@ Use the [Microsoft Security Intelligence web-based submission form](https://www.
 
 When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
 
-1. Open an elevated command prompt and change to the Windows Defender directory:
+1. Open Command Prompt as an administrator and open the Windows Defender directory:
 
    ```console
    cd "c:\program files\Windows Defender"
@@ -114,4 +116,5 @@ When you report a problem with attack surface reduction rules, you're asked to c
 - [Attack surface reduction rules](attack-surface-reduction.md)
 - [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
 - [Evaluate attack surface reduction rules](attack-surface-reduction-rules-deployment-test.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-xdr/streaming-api-storage.md b/defender-xdr/streaming-api-storage.md
@@ -16,7 +16,7 @@ ms.topic: conceptual
 ms.date: 06/21/2024
 ---
 
-# Configure Microsoft Defender XDR to stream Advanced Hunting events to your Storage account
+# Stream Microsoft Defender XDR events to your storage account
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
@@ -30,41 +30,47 @@ ms.date: 06/21/2024
 
 ## Before you begin
 
-1. Create a [Storage account](/azure/storage/common/storage-account-overview) in your tenant.
-
-2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
+- Create a [Storage account](/azure/storage/common/storage-account-overview) in your tenant.
+- Sign in to your [Azure tenant](https://ms.portal.azure.com/), and go to **Subscriptions** > **Your subscription** > **Resource Providers** > **Register to Microsoft.Insights**.
 
 ### Add contributor permissions
 
-Once the Storage account is created, you'll need to:
+Once the storage account is created, you need to define the user who is signing in as a contributor.
 
-1. Define the user who is logging into Microsoft Defender XDR as Contributor.
+1. Go to **Storage Account** > **Access control (IAM)**, and then select **Add**.
 
-    Go to **Storage Account > Access control (IAM) > Add** and verify under **Role assignments**.
+2. Verify the user is listed under **Role assignments**.
 
 ## Enable raw data streaming
 
-1. Log in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> as a ***Security Administrator*** at a minimum.
+> [!NOTE]
+> When using the Streaming API to an Azure Storage account, ensure the option `Allow trusted Microsoft services to access this storage account` is enabled in the storage account settings to allow for data to be streamed from Microsoft Defender for Endpoint.
+
+1. Go to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and sign in using an account with at least Security Administrator permissions.
 
-  >[!IMPORTANT]
-  >Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+   > [!IMPORTANT]
+   > Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-2. Go to **Settings** \> **Microsoft Defender XDR** \> **Streaming API**. To go directly to the **Streaming API** page, use <https://security.microsoft.com/settings/mtp_settings/raw_data_export>.
+2. Go to **Settings** > **Microsoft Defender XDR** > **Streaming API**. To go directly to the **Streaming API** page, use [https://security.microsoft.com/settings/mtp_settings/raw_data_export](https://security.microsoft.com/settings/mtp_settings/raw_data_export).
 
 3. Select **Add**.
 
 4. In the **Add new Streaming API settings** flyout that appears, configure the following settings:
-   1. **Name**: Choose a name for your new settings.
-   2. Select **Forward events to Azure Storage**.
-4. To display the Azure Resource Manager resource ID for a storage account in the Azure portal, follow these steps:
 
-   1. Navigate to your storage account in the Azure portal.
-   2. On the **Overview** page, in the **Essentials** section, select the **JSON View** link.
-   3. The resource ID for the storage account is displayed at the top of the page, copy the text under **Storage Account Resource ID**.
+   - **Name**: Choose a name for your new settings.
+   - Select **Forward events to Azure Storage**.
+
+5. To display the Azure Resource Manager resource ID for a storage account in the Azure portal, follow these steps:
+
+   1. Navigate to your storage account in the [Azure portal](https://portal.azure.com).
+
+   2. In the **Overview** page, in the **Essentials** section, select the **JSON View** link.
 
-   4. Back on the **Add new Streaming API settings** flyout, choose the **Event types** that you want to stream.
+   3. The resource ID for the storage account is displayed at the top of the page. Copy the text under **Storage Account Resource ID**.
 
-   When you're finished, select **Submit**.
+   4. In the **Add new Streaming API settings** flyout, choose the **Event types** that you want to stream.
+
+   5. When you're finished, select **Submit**.
 
 ## The schema of the events in the Storage account
 
@@ -74,14 +80,14 @@ Once the Storage account is created, you'll need to:
 
 - The schema of each row in a blob is the following JSON:
 
-  ```JSON
-  {
+   ```JSON
+   {
           "time": "<The time Microsoft Defender XDR received the event>"
           "tenantId": "<Your tenant ID>"
           "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
           "properties": { <Microsoft Defender XDR Advanced Hunting event as Json> }
-  }
-  ```
+   }
+   ```
 
 - Each blob contains multiple rows.
 
@@ -91,9 +97,11 @@ Once the Storage account is created, you'll need to:
 
 ## Data types mapping
 
-In order to get the data types for our events properties do the following:
+To get the data types for events properties, follow these steps:
+
+1. Go to the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139) and sign in.
 
-1. Log in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> and go to **Hunting** \> **Advanced hunting**. To go directly to the **Advanced hunting** page, use <security.microsoft.com/advanced-hunting>.
+2. Go to **Hunting** \> **Advanced hunting**. To go directly to the **Advanced hunting** page, use [https://security.microsoft.com/advanced-hunting](https://security.microsoft.com/advanced-hunting).
 
 2. On the **Query** tab, run the following query to get the data types mapping for each event:
 
@@ -103,21 +111,20 @@ In order to get the data types for our events properties do the following:
    | project ColumnName, ColumnType
    ```
 
-- Here's an example for Device Info event:
+   Here's an example for Device Info event:
 
-  :::image type="content" source="/defender-endpoint/media/machine-info-datatype-example.png" alt-text="An example device info query" lightbox="/defender-endpoint/media/machine-info-datatype-example.png":::
+   :::image type="content" source="/defender-endpoint/media/machine-info-datatype-example.png" alt-text="An example device info query" lightbox="/defender-endpoint/media/machine-info-datatype-example.png":::
 
 ## Monitoring created resources
 
-You can monitor the resources created by the streaming API using **Azure Monitor**. 
-For more information, see [Monitor destinations - Azure Monitor | Microsoft Docs](/azure/azure-monitor/logs/logs-data-export?tabs=portal#monitor-destinations).
+You can monitor the resources created by the streaming API using **Azure Monitor**. For more information, see [Monitor destinations - Azure Monitor](/azure/azure-monitor/logs/logs-data-export?tabs=portal#monitor-destinations).
 
-## Related topics
+## Related articles
 
 - [Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview)
-
 - [Overview of Advanced Hunting](advanced-hunting-overview.md)
 - [Microsoft Defender XDR Streaming API](streaming-api.md)
 - [Stream Microsoft Defender XDR events to your Azure storage account](streaming-api-storage.md)
 - [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
+
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]
