Merge branch 'main' into group

Author: tarTech23

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 05/02/2024
+ms.date: 09/07/2024
 search.appverid: met150
 ---
 
@@ -109,7 +109,6 @@ The following ASR rules DO NOT honor Microsoft Defender for Endpoint Indicators
 The following table lists the supported operating systems for rules that are currently released to general availability. The rules are listed alphabetical order in this table.
 
 > [!NOTE]
->
 > Unless otherwise indicated, the minimum Windows 10 build is version 1709 (RS3, build 16299) or later; the minimum Windows Server build is version 1809 or later.
 >
 > Attack surface reduction rules in Windows Server 2012 R2 and Windows Server 2016 are available for devices onboarded using the modern unified solution package. For more information, see [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#functionality-in-the-modern-unified-solution).
@@ -257,7 +256,6 @@ This rule prevents an application from writing a vulnerable signed driver to dis
 The **Block abuse of exploited vulnerable signed drivers** rule doesn't block a driver already existing on the system from being loaded.
 
 > [!NOTE]
->
 > You can configure this rule using Intune OMA-URI. See [Intune OMA-URI](enable-attack-surface-reduction.md#custom-profile-in-intune) for configuring custom rules.
 >
 > You can also configure this rule using [PowerShell](enable-attack-surface-reduction.md#powershell).
@@ -322,6 +320,9 @@ Dependencies: Microsoft Defender Antivirus
 
 ### Block credential stealing from the Windows local security authority subsystem
 
+> [!NOTE]
+> If you have [LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) enabled and [Credential Guard](/windows/security/identity-protection/credential-guard) enabled, this attack surface reduction rule is not required. 
+
 This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).
 
 LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows normally prevents attempts to extract credentials from LSASS. Some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
@@ -573,6 +574,14 @@ Configuration Manager name: Not yet available
 
 GUID: `33ddedf1-c6e0-47cb-833e-de6133960387`
 
+Advanced hunting action type:
+
+- `AsrSafeModeRebootedAudited`
+
+- `AsrSafeModeRebootBlocked`
+
+- `AsrSafeModeRebootWarnBypassed`
+
 Dependencies: Microsoft Defender Antivirus
 
 ### Block untrusted and unsigned processes that run from USB
@@ -610,6 +619,14 @@ Configuration Manager name: Not yet available
 
 GUID: `c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb`
 
+Advanced hunting action type:
+
+- `AsrAbusedSystemToolAudited`
+
+- `AsrAbusedSystemToolBlocked`
+
+- `AsrAbusedSystemToolWarnBypassed`
+
 Dependencies: Microsoft Defender Antivirus
 
 ### Block Webshell creation for Servers

defender-endpoint/defender-endpoint-false-positives-negatives.md

@@ -16,7 +16,7 @@ ms.collection:
 - m365solution-fpfn
 - highpri
 - tier1
-ms.topic: how-to
+ms.topic: solution-overview
 ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola
 ms.custom: 
 - FPFN

defender-endpoint/edr-detection.md

@@ -15,7 +15,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 08/15/2024
+ms.date: 09/04/2024
 ---
 
 # EDR detection test for verifying device's onboarding and reporting services
@@ -57,25 +57,28 @@ Run an EDR detection test to verify that the device is properly onboarded and re
 
 
 ```bash
-curl -o ~/Downloads/MDE Linux DIY.zip https://aka.ms/MDE-Linux-EDR-DIY
+curl -o ~/Downloads/MDE-Linux-EDR-DIY.zip -L https://aka.ms/MDE-Linux-EDR-DIY
 ```
 
-1. Extract the zip 
+2. Extract the zip 
 
 ```bash
 unzip ~/Downloads/MDE-Linux-EDR-DIY.zip
 ```
 
-1. And run the following command: 
+3. And run the following command to give the script executable permission: 
 
 ```bash
-./mde_linux_edr_diy.sh
+chmod +x ./mde_linux_edr_diy.sh
 ```
 
-After a few minutes, a detection should be raised in Microsoft Defender XDR.
-
-3. Look at the alert details, machine timeline, and perform your typical investigation steps.
+4. Run the following command to execute the script:
+```bash
+ ./mde_linux_edr_diy.sh
+```
 
+5. After a few minutes, a detection should be raised in Microsoft Defender XDR. Look at the alert details, machine timeline, and perform your typical investigation steps.
+ 
 ### macOS
 
 1. In your browser, Microsoft Edge for Mac or Safari, download *MDATP MacOS DIY.zip* from [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy) and extract.

defender-endpoint/indicator-file.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 08/26/2024
+ms.date: 09/03/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -63,7 +63,12 @@ Understand the following prerequisites before you create indicators for files:
 
 - To start blocking files, [turn on the "block or allow" feature](advanced-features.md) in Settings (in the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Allow or block file**).
 
-This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including `.exe` and `.dll` files. Coverage is extended over time.
+This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. 
+
+> [!NOTE]
+> File indicators support portable executable (PE) files, including `.exe` and `.dll` files only.
+
+
 
 > [!IMPORTANT]
 > In Defender for Endpoint Plan 1 and Defender for Business, you can create an indicator to block or allow a file. In Defender for Business, your indicator is applied across your environment and cannot be scoped to specific devices.

defender-endpoint/linux-support-ebpf.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 08/22/2024
+ms.date: 09/07/2024
 ---
 
 # Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux
@@ -62,6 +62,10 @@ The eBPF sensor for Microsoft Defender for Endpoint on Linux is supported on the
 | Oracle Linux RHCK  | 7.9                  | 3.10.0-1160    |
 | Oracle Linux UEK   | 7.9                  | 5.4            |
 | Amazon Linux 2     | 2                    | 5.4.261-174.360|
+| Rocky Linux 8      | 8.7                  | 4.18.0-425     |
+| Rocky Linux 9      | 9.2                  | 5.14.0-284     |
+| Alma Linux 8       | 8.4                  | 4.18.0-305     |
+| Alma Linux 9       | 9.2                  | 5.14.0-284     |
 
 > [!NOTE]
 > Oracle Linux 8.8 with kernel version 5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64 will result in kernel hang when eBPF is enabled as supplementary subsystem provider. This kernel version should not be used for eBPF mode. Refer to Troubleshooting and Diagnostics section for mitigation steps.
@@ -153,7 +157,7 @@ The following two sets of data help analyze potential issues and determine the m
 
 #### Troubleshooting performance issues
 
-If you see increased resource consumption by Microsoft Defender on your endpoints, it's important to identify the process/mount-point/files that are causing most of the CPU/Memory utilization. You can then apply the necessary exclusions. After applying possible antivirusexclusions, if `wdavdaemon` (parent process) is still consuming the resources, use the ebpf-statistics command to get the top system call count:
+If you see increased resource consumption by Microsoft Defender on your endpoints, it's important to identify the process/mount-point/files that are causing most of the CPU/Memory utilization. You can then apply the necessary exclusions. After applying possible antivirus exclusions, if `wdavdaemon` (parent process) is still consuming the resources, use the ebpf-statistics command to get the top system call count:
 
 ```Bash
 sudo mdatp diagnostic  ebpf-statistics

defender-endpoint/mtd.md

@@ -7,7 +7,7 @@ ms.subservice: onboard
 ms.author: siosulli
 author: siosulli
 ms.localizationpriority: medium
-ms.date: 01/28/2024
+ms.date: 09/05/2024
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -101,10 +101,10 @@ While evaluating mobile threat defense with Microsoft Defender for Endpoint, you
 This helps reduce potential issues that could arise while rolling out the service. Here are some tests and exit criteria that might help:
 
 - Devices show up in the device inventory list: After successful onboarding of Defender for Endpoint on the mobile device, verify that the device is listed in the Device Inventory in the [security console](https://security.microsoft.com).
+<!---
+- Run a malware detection test on an Android device: Install any test virus app from the Google play store and verify that it gets detected by Microsoft Defender for Endpoint. Here's an example app that can be used for this test: (We are working on new one, it will be updated soon). Note that on Android Enterprise with a work profile, only the work profile is supported. --->
 
-- Run a malware detection test on an Android device: Install any test virus app from the Google play store and verify that it gets detected by Microsoft Defender for Endpoint. Here's an example app that can be used for this test: [Test virus](https://play.google.com/store/apps/details?id=com.antivirus&hl=en_US&gl=US). Note that on Android Enterprise with a work profile, only the work profile is supported.
-
-- Run a phishing test: Browse to https://smartscreentestratings2.net and verify that it gets blocked by Microsoft Defender for Endpoint. Note that on Android Enterprise with a work profile, only the work profile is supported.
+- Run a phishing test: Browse to `https://smartscreentestratings2.net` and verify that it gets blocked by Microsoft Defender for Endpoint. Note that on Android Enterprise with a work profile, only the work profile is supported.
 
 - Alerts appear in dashboard: Verify that alerts for above detection tests appear on the [security console](https://security.microsoft.com).
 

defender-endpoint/switch-to-mde-overview.md

@@ -14,7 +14,7 @@ ms.collection:
 - m365initiative-defender-endpoint
 - highpri
 - tier1
-ms.topic: overview
+ms.topic: solution-overview
 ms.custom: migrationguides
 ms.date: 10/24/2023
 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho, yongrhee

defender-endpoint/troubleshoot-collect-support-log.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: edr
 search.appverid: met150
-ms.date: 08/13/2024
+ms.date: 09/03/2024
 ---
 
 # Collect support logs in Microsoft Defender for Endpoint using live response
@@ -51,9 +51,12 @@ This article provides instructions on how to run the tool via Live Response on W
 
    :::image type="content" source="media/analyzer-file.png" alt-text="The choose file button-2" lightbox="media/analyzer-file.png":::
 
+   Repeat this step for the `MDEClientAnalyzerPreview.zip` file.
+
 6. While still in the LiveResponse session, use the following commands to run the analyzer and collect the resulting file.
 
    ```console
+   Putfile MDEClientAnalyzerPreview.zip
    Run MDELiveAnalyzer.ps1
    GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDECA\MDEClientAnalyzerResult.zip"
    ```

defender-office-365/mdo-privacy.md

@@ -5,7 +5,7 @@ f1.keywords:
 ms.author: chrisda
 author: chrisda
 manager: deniseb
-ms.date: 08/22/2024
+ms.date: 09/03/2024
 audience: ITPro
 ms.topic: conceptual
 ms.service: defender-office-365
@@ -42,7 +42,7 @@ All [reports in Defender for Office 365](reports-defender-for-office-365.md) are
 - All related data is securely stored in the organization's region.
 - Only authorized users in the organization can access the data.
 
-Microsoft stores this data securely in Microsoft Entra and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/p/?linkid=827578). All service log data at rest is encrypted and hashed using ODL and CDP encryption (no clear text). Defender for Office 365 uses this data for the following features:
+Microsoft stores this data securely in Microsoft Entra and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/p/?linkid=827578). All service log data at rest is encrypted and hashed using Office Data Loader (ODL) and Common Data Platform (CDP) encryption (no clear text). Defender for Office 365 uses this data for the following features:
 
 - Threat protection policies to set the appropriate level of protection for your organization.
 - Real-time reports to monitor Defender for Office 365 performance in your organization.

defender-xdr/configure-asset-rules.md

@@ -12,7 +12,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 07/11/2023
+ms.date: 09/04/2024
 ---
 
 # Asset rule management - Dynamic rules for devices
@@ -37,24 +37,31 @@ Dynamic rules can help manage device context by assigning tags and device values
 
 A rule can be based on device name, domain, OS platform, internet facing status, onboarding status and manual device tags. You can select or create a tag that will be applied based on the conditions you've set.
 
+> [!IMPORTANT]
+> Use of [dynamic device tagging](/defender-xdr/configure-asset-rules) capabilities in Defender for Endpoint to tag devices with `MDE-Management` isn't currently supported with security settings management. Devices tagged through this capability don't successfully enroll. This is currently under investigation.
+
 The following steps guide you on how to create a new dynamic rule in Microsoft Defender XDR:
 
 1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com) as a user who can view and perform actions on all devices.
+
 2. In the navigation pane, select **Settings** \> **Microsoft Defender XDR** \> **Asset Rule Management**.
+
 3. Select **Create a new rule**.
+
 4. Enter a **Rule name** and **Description***.
+
 5. Select **Next** to choose the conditions you want to assign:
 
-:::image type="content" source="/defender/media/defender/rule-conditions.png" alt-text="Screenshot of the Rule conditions page" lightbox="/defender/media/defender/rule-conditions.png":::
+   :::image type="content" source="/defender/media/defender/rule-conditions.png" alt-text="Screenshot of the Rule conditions page" lightbox="/defender/media/defender/rule-conditions.png":::
 
 6. Select **Next** and choose the tag to apply to this rule.
 
-:::image type="content" source="/defender/media/defender/actions-to-apply.png" alt-text="Screenshot of the actions page" lightbox="/defender/media/defender/actions-to-apply.png":::
+   :::image type="content" source="/defender/media/defender/actions-to-apply.png" alt-text="Screenshot of the actions page" lightbox="/defender/media/defender/actions-to-apply.png":::
 
 7. Select **Next** to review and finish creating the rule and then select **Submit**.
 
->[!Note]
-> It may take up to 1 hour for changes to be reflected in the portal.
+   >[!NOTE]
+   > It may take up to 1 hour for changes to be reflected in the portal.
 
 ### Dynamic tags in the Device Inventory
 
@@ -63,13 +70,15 @@ You can see the dynamic tags assigned in the Device Inventory view.
 To see tags on individual devices:
 
 1. Select **Devices** from the **Assets** navigation menu in the [Microsoft Defender portal](https://security.microsoft.com).
+
 2. In the **Device Inventory** page, select the device name that you want to view.
+
 3. Select **Manage tags**.
 
-:::image type="content" source="/defender/media/defender/manage-machine-tags.png" alt-text="Screenshot of the machine tags page" lightbox="/defender/media/defender/manage-machine-tags.png":::
+   :::image type="content" source="/defender/media/defender/manage-machine-tags.png" alt-text="Screenshot of the machine tags page" lightbox="/defender/media/defender/manage-machine-tags.png":::
 
 ### Updating rules
 
-Dynamic tags and device values set by dynamic rules can't be manually updated. To edit, delete or turn off a rule, in the **Asset Rule Management** page select the rule and choose the action you wish to take:
+Dynamic tags and device values set by dynamic rules can't be manually updated. To edit, delete or turn off a rule, in the **Asset Rule Management** page select the rule and choose an action.
 
 :::image type="content" source="/defender/media/defender/update-rule.png" alt-text="Screenshot of the rule details page" lightbox="/defender/media/defender/update-rule.png":::