Merge branch 'main' into patch-14

Author: aditisrivastava07

ATPDocs/deploy/active-directory-federation-services.md

@@ -55,9 +55,6 @@ Configure the SQL server to allow the Directory Service Account with the followi
 - *read*
 - *select*
 
-> [!NOTE]
-> If the AD FS database runs on a dedicated SQL server instead of the local AD FS server, and you're using a group Managed Service Account (gMSA) as the Directory Service Account, make sure that you grant the SQL server the [required permissions](create-directory-service-account-gmsa.md#prerequisites-grant-permissions-to-retrieve-the-gmsa-accounts-password) to retrieve the gMSA's password.
-
 ### Grant access to the AD FS database
 
 Grant access to the AD FS database by using SQL Server Management Studio, Transact-SQL (T-SQL), or PowerShell.

defender-xdr/TOC.yml

@@ -132,6 +132,8 @@
           href: configure-attack-disruption.md
         - name: View details and results
           href: autoad-results.md
+        - name: Exclude assets from automated responses
+          href: automatic-attack-disruption-exclusions.md           
       - name: Manage the deception capability
         items:
         - name: Overview

defender-xdr/automatic-attack-disruption-exclusions.md

@@ -0,0 +1,123 @@
+---
+title: Exclude assets from automated response in attack disruption
+description: Learn more about how to exclude identities and devices from being automatically contained from automatic attack disruption.
+ms.service: defender-xdr
+f1.keywords: 
+  - NOCSH
+ms.author: diannegali
+author: diannegali
+ms.localizationpriority: medium
+manager: deniseb
+audience: ITPro
+ms.collection: 
+  - m365-security
+  - tier1
+  - usx-security
+  - usx-security
+ms.topic: conceptual
+search.appverid: 
+  - MOE150
+  - MET150
+ms.date: 02/16/2025
+appliesto:
+- Microsoft Defender XDR
+---
+
+# Exclude assets from automated responses in automatic attack disruption
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+This article provides information on how to exclude assets from being automatically contained by [automatic attack disruption](automatic-attack-disruption.md) in Microsoft Defender XDR.
+
+Automatic attack disruption enables the exclusion of specific user accounts, devices, and IP addresses from automated containment actions. Once excluded, these assets won't be affected by automated actions triggered by attack disruption.
+
+> [!CAUTION]
+> Excluding assets from automated responses is not recommended. Excluding assets from automated responses can reduce the effectiveness of automatic attack disruption in protecting your environment from sophisticated, high-impact attacks.
+
+## Prerequisites
+
+To exclude assets from automated responses in automatic attack disruption, you must have one of the following roles assigned in either Microsoft Entra ID ([https://portal.azure.com](https://portal.azure.com)) or in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)):
+
+- Global Administrator
+- Security Administrator
+
+## Review or change automated response exclusions for assets
+
+To exclude assets from automated responses in automatic attack disruption, follow these steps:
+
+1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+
+2. Go to **Settings** \> **Microsoft Defender XDR**.
+
+### Exclude user accounts
+
+1. Under **Automated response**, select **Identities**.
+
+2. To exclude a user account, select **Add user exclusion**. A flyout pane appears.
+
+   :::image type="content" source="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-identity-add-small.png" alt-text="Identities page in the automated response settings for attack disruption" lightbox="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-identity-add.png":::
+
+3. In the flyout pane, enter the user account names in the **Select users** box and select the user accounts you want to exclude.
+
+   :::image type="content" source="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-identity-flyout-small.png" alt-text="Flyout pane when adding and selecting users to exclude in the automated response settings for attack disruption" lightbox="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-identity-flyout.png":::
+
+4. Select **Exclude users** to save the exclusion.
+
+### Exclude device groups
+
+> [!CAUTION]
+> Excluding device groups from automated responses also impacts [automated investigation and response](m365d-autoir.md) actions.
+
+1. Under **Automated responses**, select **Devices**.
+
+2. In the **Device groups** tab, choose a device group by selecting the checkbox next to the group name from the list to configure attack disruption automation settings.
+
+   :::image type="content" source="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-device-select-small.png" alt-text="Device groups tab in the automated response settings for attack disruption" lightbox="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-device-select.png":::
+
+3. In the flyout pane, select the appropriate automation level for the device group. You can choose from any of the following automation levels appropriate for your device group:
+   - **Full - remediate threats automatically**: Automatically contain devices when a threat is detected.
+   - **Semi - require approval for core folders**: Automatically investigate devices when an alert is received and apply     remediation actions except to items within core system folders. Remediation actions for the core folders require approval.
+   - **Semi - require approval for non-temp folders**: Automatically investigate and apply remediation to actions within temp and download folders when an alert is received. All other remediation actions require approval.
+   - **Semi - require approval for all folders**: Automatically investigate devices when an alert is received. All  remediation actions require approval.
+   - **No automated response**: No automated investigation or response is taken for devices in this group.
+
+   :::image type="content" source="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-device-flyout-small.png" alt-text="Flyout pane when configuring automation levels for a device group" lightbox="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-device-flyout.png":::
+
+4. Select **Save** to save the automation level for the device group.
+
+> [!IMPORTANT]
+> Some information in this article relates to a prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here.
+
+### Exclude IPs
+
+1. Under **Automated responses**, select **Devices**.
+
+2. In the **IPs** tab, select **Exclude IP** to exclude an IP address.
+
+   :::image type="content" source="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-ip-add-small.png" alt-text="IPs tab in the automated response settings for attack disruption" lightbox="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-ip-add.png":::
+
+3. In the flyout pane, enter the IP address/IP range/IP subnet you want to exclude. You can add multiple IP addresses and IP subnets by separating them with a comma.
+
+   :::image type="content" source="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-ip-flyout-small.png" alt-text="Flyout pane when adding IP addresses to exclude in the automated response settings for attack disruption" lightbox="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-ip-flyout.png":::
+
+4. Add a name and note for the exclusion. Select **Create** to save the exclusion.
+
+### Remove exclusions
+
+To remove an exclusion:
+
+- Go to the **Identities** page. Select the user account you want to remove from the list and then select **Remove**.
+
+:::image type="content" source="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-user-remove.png" alt-text="Highlighting the removal option when removing an excluded user in the Identities page of attack disruption automation settings":::
+
+- Go to the **Devices** page and navigate to the **IPs** tab. Select the IP address you want to remove from the list and then select **Remove exclusion**.
+
+:::image type="content" source="/defender/media/automatic-attack-disruption/exclusions/attack-disrupt-exclude-ip-remove.png" alt-text="Highlighting the removal option when removing an excluded IP in the IP tab of attack disruption automation settings":::
+
+- Device group exclusions can be configured in the **Device groups** tab. Select the device group you want to configure from the list and choose the appropriate exclusion from the flyout pane. Select **Save** to save the exclusion.
+
+## See also
+
+- [View details and results of automated attack disruption actions](autoad-results.md)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/configure-attack-disruption.md

@@ -1,6 +1,6 @@
 ---
-title: Configure automatic attack disruption capabilities in Microsoft Defender XDR
-description: Configure automatic attack disruption options in Microsoft Defender XDR
+title: Configure automatic attack disruption in Microsoft Defender XDR
+description: Learn how to set up automatic attack disruption in Microsoft Defender XDR and ensure prerequisites are met.
 search.appverid: MET150
 ms.author: diannegali
 author: diannegali
@@ -9,7 +9,7 @@ audience: ITPro
 ms.topic: how-to
 ms.service: defender-xdr
 ms.localizationpriority: medium
-ms.date: 12/24/2024
+ms.date: 02/16/2025
 ms.collection:
 - m365-security
 - tier2
@@ -20,30 +20,25 @@ ms.reviewer: evaldm, isco
 f1.keywords: CSH
 ---
 
-# Configure automatic attack disruption capabilities in Microsoft Defender XDR
+# Configure automatic attack disruption in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
 Microsoft Defender XDR includes powerful [automated attack disruption](automatic-attack-disruption.md) capabilities that can protect your environment from sophisticated, high-impact attacks.
 
-This article describes how to configure automatic attack disruption capabilities in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a> with these steps:
+This article describes how to configure automatic attack disruption capabilities in <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft Defender XDR</a>. After you're all set up, you can view and manage containment actions in Incidents and the Action center. And, if necessary, you can make changes to settings.
 
-1. [Review the prerequisites](#prerequisites-for-automatic-attack-disruption-in-microsoft-365-defender).
-2. [Review or change the automated response exclusions for users](#review-or-change-automated-response-exclusions-for-users).
+## Prerequisites
 
-Then, after you're all set up, you can view and manage containment actions in Incidents and the Action center. And, if necessary, you can make changes to settings.
-
-<a name='prerequisites-for-automatic-attack-disruption-in-microsoft-365-defender'></a>
-
-## Prerequisites for automatic attack disruption in Microsoft Defender XDR
+The following are prerequisites for configuring automatic attack disruption in Microsoft Defender XDR:
 
 |Requirement|Details|
 |---|---|
 |Subscription requirements|One of these subscriptions: <ul><li>Microsoft 365 E5 or A5</li><li>Microsoft 365 E3 with the Microsoft 365 E5 Security add-on</li><li>Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on</li><li>Microsoft 365 A3 with the Microsoft 365 A5 Security add-on</li><li>Windows 10 Enterprise E5 or A5</li><li>Windows 11 Enterprise E5 or A5</li><li>Enterprise Mobility + Security (EMS) E5 or A5</li><li>Office 365 E5 or A5</li><li>Microsoft Defender for Endpoint (Plan 2)</li><li>Microsoft Defender for Identity</li><li>Microsoft Defender for Cloud Apps</li><li>Defender for Office 365 (Plan 2)</li><li>Microsoft Defender for Business</li></ul> <p> See [Microsoft Defender XDR licensing requirements](./prerequisites.md#licensing-requirements).|
 |Deployment requirements|<ul><li>Deployment across Defender products (e.g., Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps)</li><ul><li>The wider the deployment, the greater the protection coverage is. For example, if a Microsoft Defender for Cloud Apps signal is used in a certain detection, then this product is required to detect the relevant specific attack scenario.</li><li>Similarly, the relevant product should be deployed to execute an automated response action. For example, Microsoft Defender for Endpoint is required to automatically contain a device. </li></ul><li>Microsoft Defender for Endpoint's device discovery is set to 'standard discovery' (prerequisite for the automatic initiation of the "Contain Device" action)</li></ul>|
 |Permissions|To configure automatic attack disruption capabilities, you must have one of the following roles assigned in either Microsoft Entra ID (<https://portal.azure.com>) or in the Microsoft 365 admin center (<https://admin.microsoft.com>): <ul><li>Global Administrator</li><li>Security Administrator</li></ul>To work with automated investigation and response capabilities, such as by reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](m365d-action-center.md#required-permissions-for-action-center-tasks).|
 
-### Microsoft Defender for Endpoint Prerequisites
+### Microsoft Defender for Endpoint prerequisites
 
 #### Minimum Sense Client version (MDE client)
 
@@ -65,10 +60,10 @@ Review the configured automation level for your device group policies, whether a
 
 Device discovery settings must be activated to "Standard Discovery" at a minimum. Learn how to configure device discovery in [Set up device discovery](/defender-endpoint/configure-device-discovery).
 
->[!NOTE]
->Attack disruption can act on devices independent of a device's Microsoft Defender Antivirus operating state. The operating state can be in Active, Passive, or EDR Block Mode.
+> [!NOTE]
+> Attack disruption can act on devices independent of a device's Microsoft Defender Antivirus operating state. The operating state can be in Active, Passive, or EDR Block Mode.
 
-### Microsoft Defender for Identity Prerequisites
+### Microsoft Defender for Identity prerequisites
 
 #### Set up auditing in domain controllers
 
@@ -82,12 +77,12 @@ You can find more information on the action accounts in [Configure Microsoft Def
 
 The Defender for Identity sensor needs to be deployed on the domain controller where the Active Directory account is to be turned off.
 
->[!NOTE]
->If you have automations in place to activate or block a user, check if the automations can interfere with Disruption. For example, if there is an automation in place to regularly check and enforce that all active employees have enabled accounts, this could unintentionally activate accounts that were deactivated by attack disruption while an attack is detected. 
+> [!NOTE]
+> If you have automation in place to activate or block a user, check if the automation can interfere with disruption. For example, if there is an automation in place to regularly check and enforce that all active employees have enabled accounts, this could unintentionally activate accounts that were deactivated by attack disruption while an attack is detected. 
 
 ### Microsoft Defender for Cloud Apps prerequisites
 
-#### Microsoft Office 365 Connector 
+#### Microsoft Office 365 connector 
 
 Microsoft Defender for Cloud Apps must be connected to Microsoft Office 365 through the connector. To connect Defender for Cloud Apps, see [Connect Microsoft 365 to Microsoft Defender for Cloud Apps](/defender-cloud-apps/protect-office-365#connect-microsoft-365-to-microsoft-defender-for-cloud-apps). 
 
@@ -113,27 +108,15 @@ The following mailbox events need to be audited by minimum:
 
 Review [manage mailbox auditing](/purview/audit-mailboxes) to learn about managing mailbox auditing.
 
-#### Safelinks policy needs to be present.
-
-## Review or change automated response exclusions for users
-
-Automatic attack disruption enables the exclusion of specific user accounts from automated containment actions. Excluded users won't be affected by automated actions triggered by attack disruption. You must be a global administrator or security administrator to perform the following procedure:
-
-1. Go to the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-
-2. Go to **Settings** \> **Microsoft Defender XDR** \> **Identity automated response**. Check the user list to exclude accounts.
-:::image type="content" source="/defender/media/automatic-attack-disruption/Fig3-exclude-specific-users.png" alt-text="Selecting user accounts for automated response exclusion" lightbox="/defender/media/automatic-attack-disruption/Fig3-exclude-specific-users.png":::
-
-3. To exclude a new user account, select **Add user exclusion**.
-
-Excluding user accounts is not recommended, and accounts added to this list won't be suspended in all supported attack types like business email compromise (BEC) and human-operated ransomware.
+#### Safelinks policy needs to be present
 
 ## Next steps
 
 - [View details and results](autoad-results.md)
+- [Set and manage attack disruption exclusions](automatic-attack-disruption-exclusions.md)
 - [Get email notifications for response actions](m365d-response-actions-notifications.md)
 
-## See also
+## Related content
 
 - [Automatic attack disruption in Microsoft Defender XDR](automatic-attack-disruption.md)
 - [Automatic attack disruption for SAP](/azure/sentinel/sap/deployment-attack-disrupt)

defender-xdr/whats-new.md

@@ -6,7 +6,7 @@ ms.service: defender-xdr
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
-ms.date: 01/17/2025
+ms.date: 02/16/2025
 manager: dansimp
 audience: ITPro
 ms.collection:
@@ -33,6 +33,9 @@ For more information on what's new with other Microsoft Defender security produc
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
 ## February 2025
+
+- (Preview) IP addresses can now be excluded from automated responses in attack disruption. This feature allows you to exclude specific IPs from automated containment actions triggered by attack disruption. For more information, see [Exclude assets from automated responses in automatic attack disruption](automatic-attack-disruption-exclusions.md).
+
 - (Preview) The `PrivilegedEntraPimRoles` column is available for preview in the advanced hunting [IdentityInfo](advanced-hunting-identityinfo-table.md) table.