Merge pull request #1292 from MicrosoftDocs/main

Publish main to live 09/06/2024, 3:30 PM

Author: garycentric

defender-endpoint/edr-block-mode-faqs.yml

@@ -38,14 +38,12 @@ sections:
       - question: |
           Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices?
         answer: |
-          Yes, Microsoft recommends enabling EDR in block mode, even when primary antivirus software on the system is Microsoft Defender Antivirus. EDR detections can be automatically remediated by [PUA protection](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) in block mode.
-
-          The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product. There is a scenario where EDR in block mode enablement might be beneficial, even when the primary antivirus solution is Microsoft Defender Antivirus. If Microsoft Defender Antivirus is misconfigured, such as if PUA protection is not enabled, EDR in block mode can automatically remediate PUA.
+          Yes, Microsoft recommends enabling EDR in block mode, even when primary antivirus software on the system is Microsoft Defender Antivirus. The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product. However, there are scenarios where EDR in block mode might be beneficial, such as if Microsoft Defender Antivirus is misconfigured, or if [PUA protection](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) is not enabled. In such cases, EDR in block mode can automatically remediate detections like PUA.
 
       - question: |
           Will EDR in block mode affect a user's antivirus protection?
         answer: |
-          EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Microsoft Defender Antivirus in passive mode, except that EDR in block mode also blocks and remediates malicious artifacts or behaviors that are detected.
+          EDR in block mode does not affect non-Microsoft antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Microsoft Defender Antivirus in passive mode, except that EDR in block mode also blocks and remediates malicious artifacts or behaviors that are detected.
 
       - question: |
           Why do I need to keep Microsoft Defender Antivirus up to date?

defender-xdr/advanced-hunting-deviceevents-table.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceEvents
@@ -92,6 +92,16 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `CreatedProcessSessionId` | `long` | Windows session ID of the created process |
+|`IsProcessRemoteSession` | `bool` | Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `ProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the created process’s RDP session was initiated |
+| `ProcessRemoteSessionIP` | `string` | IP address of the remote device from which the created process’s RDP session was initiated |
+
+
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)

defender-xdr/advanced-hunting-devicefileevents-table.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceFileEvents
@@ -89,6 +89,11 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the entity or event |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+
 
 > [!NOTE]
 > File hash information will always be shown when it is available. However, there are several possible reasons why a SHA1, SHA256, or MD5 cannot be calculated. For instance, the file might be located in remote storage, locked by another process, compressed, or marked as virtual. In these scenarios, the file hash information appears empty.

defender-xdr/advanced-hunting-deviceimageloadevents-table.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceImageLoadEvents
@@ -73,6 +73,11 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessParentCreationTime` | `datetime` | Date and time when the parent of the process responsible for the event was started |
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)

defender-xdr/advanced-hunting-devicelogonevents-table.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 01/16/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceLogonEvents
@@ -82,6 +82,11 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+
 
 > [!NOTE]
 > The collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008R2 devices onboarded to Defender for Endpoint. We recommend upgrading to a more recent operating system for optimal visibility into user logon activity.

defender-xdr/advanced-hunting-devicenetworkevents-table.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceNetworkEvents
@@ -78,6 +78,11 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)

defender-xdr/advanced-hunting-deviceprocessevents-table.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceProcessEvents
@@ -96,6 +96,14 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
 | `AdditionalFields` | `string` | Additional information about the event in JSON array format |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+| `CreatedProcessSessionId` | `long` | Windows session ID of the created process |
+|`IsProcessRemoteSession` | `bool` | Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `ProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the created process’s RDP session was initiated |
+| `ProcessRemoteSessionIP` | `string` | IP address of the remote device from which the created process’s RDP session was initiated |
 
 
 ## Related topics

defender-xdr/advanced-hunting-deviceregistryevents-table.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 04/11/2024
+ms.date: 09/06/2024
 ---
 
 # DeviceRegistryEvents
@@ -74,6 +74,11 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `InitiatingProcessTokenElevation` | `string` | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
 | `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
 | `AppGuardContainerId` | `string` | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `InitiatingProcessSessionId` | `long` |  Windows session ID of the initiating process  |
+| `IsInitiatingProcessRemoteSession` | `bool` |   Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
+| `InitiatingProcessRemoteSessionDeviceName` | `string` | Device name of the remote device from which the initiating process’s RDP session was initiated |
+| `InitiatingProcessRemoteSessionIP` | `string` | IP address of the remote device from which the initiating process’s RDP session was initiated |
+
 
 ## Related topics
 - [Advanced hunting overview](advanced-hunting-overview.md)