Skip to content

Commit 4acd765

Browse files
AsuNa-jpAsuNa-jp
committed
add advanced policy for ETW security events
1 parent e6125a7 commit 4acd765

File tree

1 file changed

+5
-6
lines changed

1 file changed

+5
-6
lines changed

reference/security/defend-advanced-settings.md

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -957,20 +957,19 @@ Advanced settings are not recommended for most users. Use them only if you have
957957
`windows.advanced.events.image_load.disable_origin_info_collection`
958958
: Added in 8.19.0.
959959

960-
*If set to true, image load events exclude dll.origin_url, dll.origin_referrer_url, and dll.Ext.windows.zone_identifier. These fields normally show where the loaded DLL was downloaded from, using information taken from the file's Mark of the Web. Default: `false`*
960+
*If set to true, image load events exclude dll.origin_url, dll.origin_referrer_url, and dll.Ext.windows.zone_identifier. These fields normally show where the loaded DLL was downloaded from, using information taken from the file's Mark of the Web. Default: `false`.*
961961

962962
`windows.advanced.events.process.disable_origin_info_collection`
963963
: Added in 8.19.0.
964964

965-
*If set to true, process events exclude process.origin_url, process.origin_referrer_url, and process.Ext.windows.zone_identifier. These fields normally show where the process's executable file was downloaded from, using information taken from the file's Mark of the Web. Default: `false`*
965+
*If set to true, process events exclude process.origin_url, process.origin_referrer_url, and process.Ext.windows.zone_identifier. These fields normally show where the process's executable file was downloaded from, using information taken from the file's Mark of the Web. Default: `false`.*
966966

967967
`windows.advanced.events.file.disable_origin_info_collection`
968968
: Added in 8.19.0.
969969

970970
*If set to true, file events exclude file origin details: file.origin_url, file.origin_referrer_url, and file.Ext.windows.zone_identifier. These fields show the details of file's Mark of the Web. Default: `false`*
971971

972+
`windows.advanced.events.security.provider_etw`
973+
: Added in 8.19.0.
972974

973-
974-
975-
976-
975+
*Controls whether Microsoft-Windows-Security-Auditing ETW provider is enabled for security events collection. Set to false to disable the provider. Default: `true`.*

0 commit comments

Comments
 (0)