Merge branch 'main' into mansa

Author: tarTech23

defender-endpoint/defender-endpoint-trial-user-guide.md

@@ -7,7 +7,7 @@ ms.author: deniseb
 manager: deniseb 
 audience: ITPro
 ms.topic: how-to
-ms.date: 09/10/2024
+ms.date: 11/11/2024
 ms.collection: 
 - m365-security
 - tier2
@@ -117,6 +117,8 @@ After you have onboarded devices, [run a detection test](run-detection-test.md).
 
 The Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is a central location where you can view onboarded devices, security recommendations, detected threats, alerts, and more. To get started, see [Microsoft Defender portal](/defender-xdr/microsoft-365-defender-portal).   
 
+> [!IMPORTANT]
+> If you decide not to renew your trial or purchase a subscription, make sure to offboard devices before your trial expires.
 
 ## See also
 

defender-endpoint/device-discovery-faq.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier3
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 03/23/2021
+ms.date: 11/12/2024
 ---
 
 # Device discovery frequently asked questions
@@ -65,11 +65,54 @@ The discovery engine distinguishes between network events that are received in t
 ## What protocols are you capturing and analyzing?
 
 By default, all onboarded devices running on Windows 10 version 1809 or later, Windows 11, Windows Server 2019, or Windows Server 2022 are capturing and analyzing the following protocols:
-ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR, mDNS, MNDP, MSSQL, NBNS, SSDP, TCP (SYN headers), UDP (headers), WSD
+
+- ARP
+- CDP
+- DHCP
+- DHCPv6
+- IP (headers)
+- LLDP
+- LLMNR
+- mDNS
+- MNDP
+- MSSQL
+- NBNS
+- SSDP
+- TCP (SYN headers)
+- UDP (headers)
+- WSD
 
 ## Which protocols do you use for active probing in Standard discovery?
 When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols:
-ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, CrestonCIP, IphoneSync, WinRM, VNC, SLP, LDAP
+
+- AFP
+- ARP
+- DHCP
+- FTP
+- HTTP
+- HTTPS
+- ICMP
+- IphoneSync
+- IPP
+- LDAP
+- LLMNR
+- mDNS
+- NBNS
+- NBSS
+- PJL
+- RDP
+- RPC
+- SIP
+- SLP
+- SMB
+- SMTP
+- SNMP
+- SSH
+- Telnet
+- UPNP
+- VNC
+- WinRM
+- WSD
 
 In addition, device discovery might also scan other commonly used ports to improve classification accuracy & coverage.
 
@@ -88,9 +131,10 @@ As device discovery uses passive methods to discover devices in the network, any
 
 Devices will actively be probed when changes in device characteristics are observed to make sure the existing information is up to date (typically, devices probed no more than once in a three-week period)
 
-## My security tool raised alert on UnicastScanner.ps1 / PSScript_{GUID}.ps1 or port scanning activity initiated by it, what should I do?
+## My security tool raised alert on UnicastScanner.ps1 / PSScript_{GUID}.ps1 or port scanning activity initiated by it. What should I do?
 
 The active probing scripts are signed by Microsoft and are safe. You can add the following path to your exclusion list:
+
 `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps1`
 
 ## What is the amount of traffic being generated by the Standard discovery active probe?
@@ -101,13 +145,13 @@ Active probing can generate up to 50Kb of traffic between the onboarded device a
 
 You may notice differences between the number of listed devices under "can be onboarded" in the device inventory, "onboard to Microsoft Defender for Endpoint" security recommendation, and "devices to onboard" dashboard widget.
 
- The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices that also imply on the overall security score of the organization.
+The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices that also imply on the overall security score of the organization.
 
 ## Can I onboard unmanaged devices that were found?
 
 Yes. You can onboard unmanaged devices manually. Unmanaged endpoints in your network introduce vulnerabilities and risks to your network. Onboarding them to the service can increase the security visibility on them.
 
-## I've noticed that unmanaged device health state is always "Active", why is that?
+## I've noticed that unmanaged device health state is always "Active". Why is that?
 
 Temporarily, unmanaged device health state is "Active" during the standard retention period of the device inventory, regardless of their actual state.
 
@@ -138,4 +182,5 @@ The device discovery capabilities have been built to only discover and identify
 ### You can exclude network lures from active probing
 
 Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions ensure that those devices won't be actively probed and won't be alerted. Those devices are discovered using passive methods only (similar to Basic discovery mode).
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-office-365/attack-simulation-training-get-started.md

@@ -65,7 +65,7 @@ Watch this short video to learn more about Attack simulation training.
 
 - There are no corresponding PowerShell cmdlets for Attack simulation training.
 
-- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information, see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations). Attack simulation training is available in the following regions: APC, EUR, and NAM. Countries within these regions where Attack simulation training is available include ARE, AUS, BRA, CAN, CHE, DEU, ESP, FRA, GBR, IND, ISR, ITA, JPN, KOR, LAM, MEX, NOR, POL, QAT, SGP, SWE, and ZAF.
+- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information, see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations). Attack simulation training is available in the following regions: APC, EUR, and NAM. Countries within these regions where Attack simulation training is available include ARE, AUS, BRA, CAN, CHE, DEU, ESP, FRA, GBR, IND, ISR, ITA, JPN, KOR, LAM, MEX, NOR, POL, QAT, SGP, SWE, TWN and ZAF.
 
   > [!NOTE]
   > NOR, ZAF, ARE and DEU are the latest additions. All features except reported email telemetry are available in these regions. We're working to enable the features and we'll notify customers as soon as reported email telemetry becomes available.

defender-office-365/tenant-allow-block-list-email-spoof-configure.md

@@ -55,10 +55,10 @@ This article describes how admins can manage entries for email senders in the Mi
 
 - You need to be assigned permissions before you can do the procedures in this article. You have the following options:
   - [Microsoft Defender XDR Unified role based access control (RBAC)](/defender-xdr/manage-rbac) (If **Email & collaboration** \> **Defender for Office 365** permissions is :::image type="icon" source="media/scc-toggle-on.png" border="false"::: **Active**. Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Detection tuning (manage)** or **Authorization and settings/Security settings/Core security settings (read)**.
-  - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo):
+  - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) in the  **Exchange admin center** at <https://admin.exchange.microsoft.com> \> **Roles** \> **Admin Roles**:
     - *Add and remove entries from the Tenant Allow/Block List*: Membership in one of the following role groups:
       - **Organization Management** or **Security Administrator** (Security admin role).
-      - **Security Operator** (Tenant AllowBlockList Manager).
+      - **Security Operator** (Tenant AllowBlockList Manager role)
     - *Read-only access to the Tenant Allow/Block List*: Membership in one of the following role groups:
       - **Global Reader**
       - **Security Reader**

defender-xdr/advanced-hunting-defender-use-custom-rules.md

@@ -43,7 +43,7 @@ For editable functions, more options are available when you select the vertical
 - **Edit details** – opens the function side pane to allow you to edit details about the function (except folder names for Sentinel functions)
 - **Delete** – deletes the function
 
-### Use arg() operator for Azure Resource Graph queries (Preview)
+### Use arg() operator for Azure Resource Graph queries
 The *arg()* operator can be used to query across deployed Azure resources like subscriptions, virtual machines, CPU, storage, and the like. 
 
 This feature was previously only available in log analytics in Microsoft Sentinel. In the Microsoft Defender portal, the `arg()` operator works over Microsoft Sentinel data (that is, Defender XDR tables are not supported). This allows users to use the operator in advanced hunting without needing to manually open a Microsoft Sentinel window. 

defender-xdr/breadcrumb/toc.yml

@@ -9,6 +9,9 @@
   - name: Microsoft Defender XDR
     tocHref: /defender-for-identity/
     topicHref: /defender-xdr/index
+  - name: Microsoft Defender XDR
+    tocHref: /unified-secops-platform/
+    topicHref: /defender-xdr/index
 
 ## Azure override
 - name: 'Microsoft Defender'
@@ -18,4 +21,3 @@
   - name: 'Microsoft Defender XDR'
     tocHref: /azure/sentinel/
     topicHref: /defender-xdr/index
-

defender-xdr/data-privacy.md

@@ -19,7 +19,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 08/19/2024
+ms.date: 11/03/2024
 appliesto: 
 - Microsoft Defender XDR 
 ---
@@ -28,22 +28,66 @@ appliesto:
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-Microsoft Defender XDR operates in Microsoft Azure data centers in the European Union, the United Kingdom, the United States, Australia, and Switzerland. Customer data collected by the service is stored at rest in (a) the geo-location of the tenant as identified during provisioning or, (b) the geo-location as defined by the data storage rules of an online service if this online service is used by Microsoft Defender XDR to process such data.
+Microsoft Defender XDR integrates with several different Microsoft security services, which collect data using various technologies. Integrated services allow Microsoft Defender XDR to access their data for the purpose of identifying cross-product correlations.
 
-Customer data in pseudonymized form might also be stored in central storage and processing systems in the United States.
+## Collected data
 
-The table below shows the general information on the data retention of specific service sources in Defender XDR:
+Customer data collected from integrated services includes *processed data*, such as incidents and alerts, and *configuration data*, such as connector settings, rules and so on.
 
-|Product|Default data retention period|More information|
-|:---|:---|:---|
-|Microsoft Defender for Endpoint|180 days|[Defender for Endpoint data storage and privacy](/defender-endpoint/data-storage-privacy)|
-|Microsoft Defender for Office 365|Varies according to feature and license|[Defender for Office 365 data retention information](/defender-office-365/mdo-data-retention)|
-|Microsoft Defender for Identity|180 days|[Defender for Identity data storage and privacy](/defender-for-identity/privacy-compliance)|
-|Microsoft Defender for Cloud Apps|180 days|[Defender for Cloud Apps data storage and privacy](/defender-cloud-apps/cas-compliance-trust)|
-|Microsoft Entra|Varies according to feature and license|[Microsoft Entra data storage and privacy](/entra/identity/monitoring-health/reference-reports-data-retention)|
-|Microsoft Sentinel|90 days for Basic logs, varies depending on pricing|[Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/)|
+## Data storage location
 
-> [!NOTE]
-> [Advanced hunting](advanced-hunting-overview.md) lets you query up to 30 days of raw data.
+Microsoft Defender XDR operations in Microsoft Azure data centers in the following geographical regions:
+
+- **European Union**: North Europe and West Europe
+- **United Kingdom**: UK South and UK West
+- **United States**: East US 2 and Central US
+- **Australia**: Australia East and Australia Southeast
+- **Switzerland**: Switzerland North and Switzerland West
+- **India**: Central India and South India
+
+Once created, the Microsoft Defender XDR tenant isn't movable to a different region. Your geographical region is shown in the Microsoft Defender portal, under **Settings > Microsoft Defender XDR > Account**.
+
+Customer data stored by integrated services might also be stored in the following locations:
+
+- The original location for the relevant service.
+- A region defined by data storage rules of an integrated service, if Microsoft Defender XDR shares data with that service.
+
+## Data retention
+
+Microsoft Defender XDR data is retained for 180 days, and is visible across the Microsoft Defender portal during that time, except for in **Advanced hunting** queries. 
+
+In the Microsoft Defender portal's **Advanced hunting** page, data is accessible via queries for only 30 days, unless it's streamed through [Microsoft's unified security operations platform with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration?toc=%2Fdefender-xdr%2Ftoc.json&bc=%2Fdefender-xdr%2Fbreadcrumb%2Ftoc.json&tabs=defender-portal), where retention periods may be longer.
+
+Data continues to be retained and visible, even when a license is under a grace period or in suspended mode. At the end of any grace period or suspension, and no later than 180 days from a contract termination or expiration, data is deleted from Microsoft's systems and is unrecoverable.
+
+Most Defender services also have a default data retention period of 180 days. More information on data retention period per product is found in [relevant service docs](#related-content).
+
+## Data sharing
+
+Microsoft Defender XDR shares data among the following Microsoft products, also licensed by the customer:
+
+- Microsoft Defender for Cloud
+- Microsoft Defender for Identity
+- Microsoft Defender for Endpoint
+- Microsoft Defender for Cloud Apps
+- Microsoft Defender for Office 365
+- Microsoft Defender for IoT
+- Microsoft Sentinel
+- Microsoft Intune
+- Microsoft Purview
+- Microsoft Entra
+- Microsoft Defender Vulnerability Management
+- Microsoft Copilot for Security
+
+## Related content
+
+For more information, see:
+
+- [Defender for Endpoint data storage and privacy](/defender-endpoint/data-storage-privacy)
+- [Defender for Office 365 data retention information](/defender-office-365/mdo-data-retention)
+- [Defender for Identity data storage and privacy](/defender-for-identity/privacy-compliance)
+- [Defender for Cloud Apps data storage and privacy](/defender-cloud-apps/cas-compliance-trust)
+- [Microsoft Entra data storage and privacy](/entra/identity/monitoring-health/reference-reports-data-retention)
+- [Microsoft Sentinel pricing](https://azure.microsoft.com/pricing/details/microsoft-sentinel/)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/whats-new.md

@@ -29,11 +29,13 @@ For more information on what's new with other Microsoft Defender security produc
 
 You can also get product updates and important notifications through the [message center](https://admin.microsoft.com/Adminportal/Home#/MessageCenter).
 
+## November 2024
+- (GA) The `arg()` operator in [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries) in Microsoft Defender portal is now generally available. Users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender.
 
 ## October 2024
 
 - [Microsoft Unified RBAC roles](experts-on-demand.md#required-permissions-for-using-ask-defender-experts) are added with new permission levels for Microsoft Threat Experts customers to use Ask Defender experts capability.
-- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries-preview), Microsoft Defender portal users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
+- (Preview) In [advanced hunting](advanced-hunting-defender-use-custom-rules.md#use-arg-operator-for-azure-resource-graph-queries), Microsoft Defender portal users can now use the *arg()* operator for Azure Resource Graph queries to search over Azure resources. You no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if you are already in Microsoft Defender.
 
 ## September 2024
 
@@ -337,7 +339,7 @@ The security operations team can view all actions pending approval, and the stip
 
 ## June 2021
 
-- (Preview) [View reports per threat tags](threat-analytics.md#view- reports-by-category)
+- (Preview) [View reports per threat tags](threat-analytics.md#view-reports-by-category)
 
   Threat tags help you focus on specific threat categories and review the most relevant reports.