Merge branch 'main' into repo_sync_working_branch

Stacyrch140 · web-flow · commit 09babc097b24 · 2024-05-22T16:59:09.000-04:00
diff --git a/defender-endpoint/linux-support-offline-security-intelligence-update.md b/defender-endpoint/linux-support-offline-security-intelligence-update.md
@@ -14,7 +14,7 @@ ms.collection:
 - mde-linux
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 03/12/2024
+ms.date: 05/17/2024
 ---
 
 # Configure Offline Security Intelligence Update for Microsoft Defender for Endpoint on Linux 
@@ -67,7 +67,6 @@ Fig. 2: Process flow diagram on the Linux endpoint for security intelligence upd
 - Defender for Endpoint version "101.24022.0001" or higher needs to be installed on the Linux endpoints.
 - The Linux endpoints need to have connectivity to the Mirror Server.
 - The Linux endpoint must be running any of the Defender for Endpoint supported distributions.
-
 - The Mirror Server can be either an HTTP/ HTTPS server or a network share server. For example, an NFS Server.
 - The Mirror Server needs to have access to the following URLs:
   - `https://github.com/microsoft/mdatp-xplat.git`
@@ -85,6 +84,7 @@ Fig. 2: Process flow diagram on the Linux endpoint for security intelligence upd
   
   > [!NOTE]
   > This configuration may vary depending on the number of requests that are served and the load each server must process.
+
 ## Configuring the Mirror Server
 
 > [!NOTE]
@@ -138,7 +138,7 @@ The `settings.json` file consists of a few variables that the user can configure
 | Field Name               | Value  | Description                                            |
 |--------------------------|--------|--------------------------------------------------------|
 | `downloadFolder`         | string | Maps to the location where the script downloads the files to |
-| `downloadLinuxUpdates`   | bool   | When set to true, the script downloads the Linux specific updates to the `downloadFolder` |
+| `downloadLinuxUpdates`   | bool   | When set to `true`, the script downloads the Linux specific updates to the `downloadFolder` |
 | `logFilePath`            | string | Sets up the diagnostic logs at a given folder. This file can be shared with Microsoft for debugging the script if there are any issues |
 | `downloadMacUpdates`     | bool   | The script downloads the Mac specific updates to the `downloadFolder` |
 | `downloadPreviewUpdates` | bool   | Downloads the preview version of the updates available for the specific OS |
@@ -189,17 +189,21 @@ Once the Mirror Server is set up, we need to propagate this URL to the Linux end
     "offlineDefinitionUpdateUrl": "http://172.22.199.67:8000/linux/production/",
     "offlineDefintionUpdateFallbackToCloud":false,
     "offlineDefinitionUpdate": "enabled"
-  }
+  },
+"features": {
+"offlineDefinitionUpdateVerifySig": "enabled"
+}
 }
 ```
 
 | Field Name                                | Values               | Comments                                            |
 |-------------------------------------------|----------------------|-----------------------------------------------------|
-| `automaticDefinitionUpdateEnabled`        | True / False         | Determines the behavior of Defender for Endpoint attempting to perform updates automatically, is turned on or off respectively |
-| `definitionUpdatesInterval`               | Numeric              | Time of interval between each automatic update of signatures (in seconds) |
-| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up |
-| `offlineDefinitionUpdate`                 | enabled / disabled   | When set to `enabled`, the offline security intelligence update feature is enabled, and vice versa. |
-| `offlineDefinitionUpdateFallbackToCloud`  | True / False         | Determine Defender for Endpoint security intelligence update approach when offline Mirror Server fails to serve the update request. If set to true, the update is retried via the Microsoft cloud when offline security intelligence update failed, else vice versa. |
+| `automaticDefinitionUpdateEnabled`        | `True` / `False`         | Determines the behavior of Defender for Endpoint attempting to perform updates automatically, is turned on or off respectively. |
+| `definitionUpdatesInterval`               | Numeric              | Time of interval between each automatic update of signatures (in seconds). |
+| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up. |
+| `offlineDefinitionUpdate`                 | `enabled` / `disabled`   | When set to `enabled`, the offline security intelligence update feature is enabled, and vice versa. |
+| `offlineDefinitionUpdateFallbackToCloud`  | `True` / `False`         | Determine Defender for Endpoint security intelligence update approach when offline Mirror Server fails to serve the update request. If set to true, the update is retried via the Microsoft cloud when offline security intelligence update failed, else vice versa. |
+| `offlineDefinitionUpdateVerifySig`        | `enabled` / `disabled`     | When set to `enabled`, downloaded definitions are verified on the endpoints, else vice versa. |
 
 > [!NOTE]
 > As of today the offline security intelligence update feature can be configured on Linux endpoints via managed json only. Integration with security settings management on the security portal is in our roadmap.
@@ -212,9 +216,9 @@ To test if the settings are applied correctly on the Linux endpoints, run the fo
 mdatp health --details definitions
 ```
 
-For example, a sample output would look like:
+A sample output would look like the following code snippet:
 
-```console
+```output
 user@vm:~$ mdatp health --details definitions
 automatic_definition_update_enabled         : true [managed]
 definitions_updated                         : Mar 14, 2024 at 12:13:17 PM
@@ -262,8 +266,8 @@ offline_definition_update_fallback_to_cloud : false[managed]
 
 ### Issues: MDATP update failure
 
-- Update stuck or update didn't trigger
-- Update failed
+- Update stuck, or update didn't trigger.
+- Update failed.
 
 ### Common Troubleshooting Steps
 
@@ -294,10 +298,12 @@ offline_definition_update_fallback_to_cloud : false[managed]
 ### Known Issues:
 
 Offline signature update might fail in the following scenario:  
-You enabled the feature, applied the signature updates, then disabled the feature to apply further signature updates from cloud, and subsequently re-enabled the feature for additional signature updates.
+
+   You enabled the feature, applied the signature updates, then disabled the feature to apply further signature updates from cloud, and subsequently re-enabled the feature for additional signature updates.
 
 Mitigation steps:  
-The fix for this will be available in the upcoming release. 
+
+A fix for this issue is planned to release soon. 
 
 ## Useful Links
 
diff --git a/defender-endpoint/uefi-scanning-in-defender-for-endpoint.md b/defender-endpoint/uefi-scanning-in-defender-for-endpoint.md
@@ -11,12 +11,13 @@ ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
 ms.custom:
-  - admindeeplinkDEFENDER
+- admindeeplinkDEFENDER
+ - partner-contribution
 ms.collection: 
 - m365-security
 - tier2
 search.appverid: met150
-ms.date: 04/30/2024
+ms.date: 05/22/2024
 ---
 
 # UEFI scanning in Defender for Endpoint
@@ -91,13 +92,16 @@ To detect unknown threats in SPI flash, signals from the UEFI scanner are analyz
 These events can likewise be queried through advanced hunting as shown:
 
 ```kusto
-DeviceAlertEvents
-
+let AlertStats = AlertInfo
+| where Timestamp > ago(30d)
+| where ServiceSource == "Microsoft Defender for Endpoint"
+| where DetectionSource == "Antivirus"
 | where Title has "UEFI"
-
+| join AlertEvidence on AlertId;
+AlertStats
+| join DeviceInfo on DeviceId
+| distinct DeviceName, DeviceId, AlertId, Title, Severity, DetectionSource, Timestamp
 | summarize Titles=makeset(Title) by DeviceName, DeviceId, bin(Timestamp, 1d)
-
-| limit 100
 ```
 
 ## Comprehensive security levels up with low-level protections
diff --git a/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md b/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
@@ -5,9 +5,9 @@ search.appverid: met150
 ms.service: defender-endpoint
 ms.author: siosulli
 author: siosulli
-ms.reviewer: noamhadash, pahuijbr
+ms.reviewer: noamhadash, pahuijbr, yongrhee
 ms.localizationpriority: medium
-ms.date: 05/15/2024
+ms.date: 05/22/2024
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -57,6 +57,8 @@ For more information on Microsoft Defender for Endpoint on specific operating sy
 
 - (GA) [Streamlined device connectivity for Defender for Endpoint](configure-device-connectivity.md) is now generally available for Windows, macOS, and Linux. This experience makes it easier to configure and manage Defender for Endpoint services by reducing the number of URLs required for connectivity, providing IP & Azure service tag support, and simplifying post-deployment network management.
 
+- (GA) [Microsoft Defender Core service](/defender-endpoint/microsoft-defender-core-service-overview) is now generally available on Windows clients.  Helps with the stability and performance of Microsoft Defender Antivirus.
+
 ## April 2024
 
 **Microsoft Defender for Endpoint on macOS** feature now in GA:
