You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are multiple fixes and new changes in this release.
50
+
51
+
- This release fixes a bug related to high memory usage eventually leading to high CPU due to eBPF memory leak in kernel space resulting in servers going into unusable states. This only impacted the kernel versions 3.10x and <= 4.16x, majorly on RHEL/CentOS distros. Please update to the latest MDE version to avoid any impact.
52
+
- We have now simplified the output of `mdatp health --detail features`
Copy file name to clipboardExpand all lines: defender-endpoint/microsoft-defender-core-service-overview.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ manager: deniseb
7
7
ms.service: defender-endpoint
8
8
ms.subservice: ngp
9
9
ms.topic: overview
10
-
ms.date: 04/24/2024
10
+
ms.date: 06/21/2024
11
11
search.appverid: met150
12
12
ms.localizationpriority: medium
13
13
audience: ITPro
@@ -26,11 +26,11 @@ To enhance your endpoint security experience, Microsoft is releasing the Microso
26
26
27
27
1. The Microsoft Defender Core service is releasing with [Microsoft Defender Antivirus platform version 4.18.23110.2009](./msda-updates-previous-versions-technical-upgrade-support.md#october-2023-platform-418231002009--engine-11231002009).
28
28
29
-
2. Rollout begins on:
29
+
1. Rollout is planned to begin as follows:
30
30
31
31
- November 2023 to prerelease customers.
32
32
- Mid April 2024 to Enterprise customers running Windows clients.
33
-
-Mid June 2024 to U.S. Government customers running Windows clients.
33
+
-Beginning of July 2024 to U.S. Government customers running Windows clients.
34
34
35
35
3. If you're using the Microsoft Defender for Endpoint **streamlined** device connectivity experience, you don't need to add any other URLs.
Copy file name to clipboardExpand all lines: defender-endpoint/review-detected-threats.md
+20-12Lines changed: 20 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.collection:
12
12
- tier2
13
13
- mde-edr
14
14
ms.topic: conceptual
15
-
ms.date: 05/29/2024
15
+
ms.date: 06/21/2024
16
16
ms.subservice: edr
17
17
search.appverid: met150
18
18
---
@@ -39,15 +39,15 @@ In the Microsoft Defender portal, you can view and manage threat detections usin
39
39
40
40
1. Visit [Microsoft XDR portal](https://security.microsoft.com/) and sign-in.
41
41
42
-
On the landing page, you'll see the **Devices with active malware** card with the following information:
42
+
On the landing page, you see the **Devices with active malware** card with the following information:
43
43
44
44
- Display text: Applies to Intune-managed devices. Devices with multiple malware detections may be counted more than once.
45
45
- Last updated date and time.
46
46
- A bar with the Active and Malware remediated portions as per your scan.
47
47
48
48
You can select **View Details** for more information.
49
49
50
-
2. Once remediated, you'll see the following text being displayed:
50
+
2. Once remediated, you see the following text being displayed:
51
51
52
52
*Malware found on your devices have been remediated successfully*.
53
53
@@ -59,7 +59,7 @@ You can manage threat detections for any devices that are [enrolled in Microsoft
59
59
60
60
2. In the navigation pane, select **Endpoint security**.
61
61
62
-
3. Under **Manage**, select **Antivirus**. You'll see tabs for **Summary**, **Unhealthy endpoints**, and **Active malware**.
62
+
3. Under **Manage**, select **Antivirus**. You see tabs for **Summary**, **Unhealthy endpoints**, and **Active malware**.
63
63
64
64
4. Review the information on the available tabs, and then take action as necessary.
65
65
@@ -72,20 +72,23 @@ You can manage threat detections for any devices that are [enrolled in Microsoft
72
72
73
73
## FAQs
74
74
75
-
### In the Microsoft XDR portal > Devices with active malware > Devices with malware detections report, why does the Last update seem to be occurring today?
75
+
####In the Microsoft XDR portal > Devices with active malware > Devices with malware detections report, why does the Last update seem to be occurring today?
76
76
77
-
To see when the malware was detected, you can do the following:
77
+
To see when the malware was detected, you can take the following steps:
78
78
79
79
1. Since this is an integration with Intune, visit [**Intune portal**](https://intune.microsoft.com) and select **Antivirus** and then select **Active malware** tab.
80
+
80
81
2. Select **Export**.
81
-
3. On your device, go to Downloads, and extract the Active malware_YYYY_MM_DD_THH_MM_SS.0123Z.csv.zip.
82
+
83
+
3. On your device, go to Downloads, and extract the `Active malware_YYYY_MM_DD_THH_MM_SS.0123Z.csv.zip` file.
84
+
82
85
4. Open the CSV and find the **LastStateChangeDateTime** column to see when malware was detected.
83
86
84
-
### In the devices with malware detections report, why can't I see any information about which malware was detected on the device.
87
+
####In the devices with malware detections report, why can't I see any information about which malware was detected on the device.
85
88
86
-
To see the malware name, visit the [Intune portal](https://intune.microsoft.com) as this is an integration with Intune, select **Antivirus**, and select **Active malware** tab and you'll see a column named **Malware name**.
89
+
To see the malware name, visit the [Intune portal](https://intune.microsoft.com) as this is an integration with Intune, select **Antivirus**, and select **Active malware** tab and you see a column named **Malware name**.
87
90
88
-
### I see a different number for active malware in Devices with active malware report, when compared to numbers I see using Reports > Detected malware, and Intune > Antivirus > Active malware.
91
+
####I see a different number for active malware in Devices with active malware report, when compared to numbers I see using Reports > Detected malware, and Intune > Antivirus > Active malware.
89
92
90
93
The **Devices with active malware** report is based on the devices that were active within the last 1 day (24 hours) and had malware detections within the last 15 days.
### I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?
112
+
####I searched the computer name in the top search bar and got two devices with the same name. I don't know which one of those two devices the report is referring to?
110
113
111
114
Use the Advanced Hunting query that is mentioned [here](#i-see-a-different-number-for-active-malware-in-devices-with-active-malware-report-when-compared-to-numbers-i-see-using-reports--detected-malware-and-intune--antivirus--active-malware) for details such as unique DeviceID, Title, AlertID, and the remediation process. After identifying, work with your IT admin's to make sure that the devices are uniquely named. If a device is retired, use [tags to decommission it.](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058)
112
115
113
-
### I see malware detection in Intune and on the Devices with active malware report, but I don't see it in the MDE Alerts queue or in the Incidents queue.
116
+
####I see malware detection in Intune and on the Devices with active malware report, but I don't see it in the MDE Alerts queue or in the Incidents queue.
114
117
115
118
It might be that the URL's [Cloud Protection](configure-network-connections-microsoft-defender-antivirus.md) is currently not being allowed through your firewall or proxy.
116
119
117
120
You need to ensure that when you run `%ProgramFiles%\Windows Defender\MpCmdRun.exe -ValidateMapsConnection` on your device, the reporting is Ok.
118
121
122
+
#### I see a device that has been inactive for 180+ days but still showing up on the report for 'Devices with active malware'. The device doesn't show in the "Device inventory", can't be turned on and can't be offboarded from Microsoft Defender for Endpoint.
123
+
124
+
125
+
The device has not been [retired](/mem/intune/remote-actions/devices-wipe) from Intune.
126
+
119
127
## Related articles
120
128
121
129
-[Alerts in Microsoft Defender for Endpoint](investigate-alerts.md)
Copy file name to clipboardExpand all lines: defender-xdr/configure-event-hub.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ ms.collection:
15
15
- tier2
16
16
ms.custom: admindeeplinkDEFENDER
17
17
ms.topic: conceptual
18
-
ms.date: 02/08/2023
18
+
ms.date: 06/21/2024
19
19
---
20
20
21
21
# Configure your Event Hubs
@@ -135,7 +135,7 @@ For these Event Hubs (not namespace), you'll need to configure a Shared Access P
135
135
136
136
- Contributor role at the Event Hubs *Namespace* Resource level or higher for the Event Hubs that you'll be exporting to. Without this permission, you'll get an export error when you try to save the settings.
137
137
138
-
-Global Admin or Security Admin Role on the tenant tied to Microsoft Defender XDR and Azure.
138
+
- Security Admin Role on the tenant tied to Microsoft Defender XDR and Azure.
139
139
140
140
:::image type="content" source="/defender/media/55d5b1c21dd58692fb12a6c1c35bd4fa.png" alt-text="The Settings page of the Microsoft Defender portal" lightbox="/defender/media/55d5b1c21dd58692fb12a6c1c35bd4fa.png":::
Copy file name to clipboardExpand all lines: defender-xdr/mssp-access.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ search.appverid:
16
16
ms.collection:
17
17
- m365-security
18
18
- tier2
19
-
ms.date: 02/16/2021
19
+
ms.date: 06/21/2024
20
20
---
21
21
22
22
# Provide managed security service provider (MSSP) access
@@ -52,7 +52,7 @@ To implement a multitenant delegated access solution, take the following steps:
52
52
53
53
2. Create Defender for Endpoint roles for appropriate access levels in Customer Defender for Endpoint in Microsoft Defender portal roles and groups.
54
54
55
-
To enable RBAC in the customer Microsoft Defender portal, access **Permissions > Endpoints roles & groups > Roles** with a user account with Global Administrator or Security Administrator rights.
55
+
To enable RBAC in the customer Microsoft Defender portal, access **Permissions > Endpoints roles & groups > Roles** with a user account with Security Administrator rights.
56
56
57
57
:::image type="content" source="/defender/media/mssp-access.png" alt-text="The details of the MSSP access in the Microsoft Defender portal" lightbox="/defender/media/mssp-access.png":::
Copy file name to clipboardExpand all lines: defender-xdr/prerequisites.md
+8-3Lines changed: 8 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ ms.topic: conceptual
16
16
search.appverid:
17
17
- MOE150
18
18
- MET150
19
-
ms.date: 12/5/2023
19
+
ms.date: 06/21/2024
20
20
---
21
21
22
22
# Microsoft Defender XDR prerequisites
@@ -56,11 +56,16 @@ For more information, [view the Microsoft 365 Enterprise service plans](https://
56
56
Go to Microsoft 365 admin center ([admin.microsoft.com](https://admin.microsoft.com/)) to view your existing licenses. In the admin center, go to **Billing**\>**Licenses**.
57
57
58
58
> [!NOTE]
59
-
> You need to be assigned either the **Billing admin** or **Global reader**[role in Microsoft Entra ID](/azure/active-directory/roles/permissions-reference) to be able to see license information. If you encounter access problems, contact a global admin.
59
+
> You need to be assigned either the **Billing admin** or **Global reader**[role in Microsoft Entra ID](/azure/active-directory/roles/permissions-reference) to be able to see license information. If you encounter access problems, contact a Global Administrator.
60
60
61
61
## Required permissions
62
62
63
-
You must be a **global administrator** or a **security administrator** in Microsoft Entra ID to turn on Microsoft Defender XDR. For the list of roles required to use Microsoft Defender XDR and information on how access to data is regulated, read about [managing access to Microsoft Defender XDR](m365d-permissions.md).
63
+
You must at least be a **security administrator** in Microsoft Entra ID to turn on Microsoft Defender XDR. For the list of roles required to use Microsoft Defender XDR and information on how access to data is regulated, read about [managing access to Microsoft Defender XDR](m365d-permissions.md).
64
+
65
+
>[!IMPORTANT]
66
+
>Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Copy file name to clipboardExpand all lines: defender-xdr/streaming-api-event-hub.md
+5-2Lines changed: 5 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.collection:
13
13
- tier3
14
14
ms.custom: admindeeplinkDEFENDER
15
15
ms.topic: conceptual
16
-
ms.date: 02/08/2023
16
+
ms.date: 06/21/2024
17
17
---
18
18
19
19
# Configure Microsoft Defender XDR to stream Advanced Hunting events to your Azure Event Hub
@@ -43,7 +43,10 @@ Prior to configuring Microsoft Defender XDR to stream data to Event Hubs, ensure
43
43
44
44
## Enable raw data streaming
45
45
46
-
1. Log on to <ahref="https://go.microsoft.com/fwlink/p/?linkid=2077139"target="_blank">Microsoft Defender portal</a> as a ***Global Administrator*** or ***Security Administrator***.
46
+
1. Log on to <ahref="https://go.microsoft.com/fwlink/p/?linkid=2077139"target="_blank">Microsoft Defender portal</a> as a ***Security Administrator*** at a minimum.
47
+
48
+
>[!IMPORTANT]
49
+
>Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
47
50
48
51
2. Go to the [Streaming API settings page](https://sip.security.microsoft.com/settings/mtp_settings/raw_data_export).
Copy file name to clipboardExpand all lines: defender-xdr/streaming-api-storage.md
+5-2Lines changed: 5 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.collection:
13
13
- tier3
14
14
ms.custom: admindeeplinkDEFENDER
15
15
ms.topic: conceptual
16
-
ms.date: 02/08/2023
16
+
ms.date: 06/21/2024
17
17
---
18
18
19
19
# Configure Microsoft Defender XDR to stream Advanced Hunting events to your Storage account
@@ -44,7 +44,10 @@ Once the Storage account is created, you'll need to:
44
44
45
45
## Enable raw data streaming
46
46
47
-
1. Log in to <ahref="https://go.microsoft.com/fwlink/p/?linkid=2077139"target="_blank">Microsoft Defender XDR</a> as a ***Global Administrator*** or ***Security Administrator***.
47
+
1. Log in to <ahref="https://go.microsoft.com/fwlink/p/?linkid=2077139"target="_blank">Microsoft Defender XDR</a> as a ***Security Administrator*** at a minimum.
48
+
49
+
>[!IMPORTANT]
50
+
>Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
48
51
49
52
2. Go to **Settings**\>**Microsoft Defender XDR**\>**Streaming API**. To go directly to the **Streaming API** page, use <https://security.microsoft.com/settings/mtp_settings/raw_data_export>.
0 commit comments