Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into log-collection

Author: KesemSharabi

.github/workflows/AutoLabelAssign.yml

@@ -30,11 +30,11 @@ jobs:
         with:
             PayloadJson: ${{ needs.download-payload.outputs.WorkflowPayload }}
             AutoAssignUsers: 1
-            AutoAssignReviewers: 1
+            AutoAssignReviewers: 0
             AutoLabel: 1
             ExcludedUserList: '["user1", "user2"]'
             ExcludedBranchList: '["branch1", "branch2"]'
         secrets:
             AccessToken: ${{ secrets.GITHUB_TOKEN }}
             PrivateKey: ${{ secrets.M365_APP_PRIVATE_KEY }}
-            ClientId: ${{ secrets.M365_APP_CLIENT_ID }}
+            ClientId: ${{ secrets.M365_APP_CLIENT_ID }}

.openpublishing.redirection.defender-endpoint.json

@@ -159,6 +159,11 @@
       "source_path": "defender-endpoint/mde-linux-arm.md",
       "redirect_url": "/defender-endpoint/microsoft-defender-endpoint-linux",
       "redirect_document_id": false
-    } 
+    }, 
+    {
+      "source_path": "defender-endpoint/contact-support.md",
+      "redirect_url": "/defender-xdr/contact-defender-support",
+      "redirect_document_id": false
+    },
   ]
 }

defender-endpoint/contact-support.md

@@ -50,11 +50,11 @@ A false positive (FP) refers to a false positive in Microsoft's threat intellige
 
 You can use IP and URL/Domain indicators to manage site access.
 
-To block connections to an IP address, type the IPv4 address in dotted-quad form (e.g. `8.8.8.8`). For IPv6 addresses, specify all 8 segments (e.g. `2001:4860:4860:0:0:0:0:8888`). Note that wildcards and ranges are not supported.
+To block connections to an IP address, type the IPv4 address in dotted-quad form (for example, `8.8.8.8`). For IPv6 addresses, specify all eight segments (for example, `2001:4860:4860:0:0:0:0:8888`). Note that wildcards and ranges aren't supported.
 
-To block connections to a domain and any of its subdomains, specify the domain (e.g. `example.com`). This indicator will match `example.com` as well as `sub.example.com` and `anything.sub.example.com`.
+To block connections to a domain and any of its subdomains, specify the domain (for example, `example.com`). This indicator matches `example.com` as well as `sub.example.com` and `anything.sub.example.com`.
 
-To block a specific URL path, specify the URL path (e.g. `https://example.com/block`). This indicator will match resources under the `/block` path on `example.com`. Note that HTTPS URL paths will only be matched in Microsoft Edge; HTTP URL paths can be matched in any browser.
+To block a specific URL path, specify the URL path (for example, `https://example.com/block`). This indicator matches resources under the `/block` path on `example.com`. Note that HTTPS URL paths will only be matched in Microsoft Edge; HTTP URL paths can be matched in any browser.
 
 You can also create IP and URL indicators to unblock users from a SmartScreen block or selectively bypass web content filtering blocks of sites that you'd like to allow to load. For example, consider a case where you have web content filtering set to block all social media websites. However, the marketing team has a requirement to use a specific social media site to monitor their ad placements. In this case, you can unblock the specific social media site by creating a domain Allow indicator and assigning it to the marketing team's device group.
 
@@ -143,17 +143,17 @@ The functionality of preexisting IoCs doesn't change. However, the indicators ar
 The IoC API schema and the threat IDs in Advanced Hunting are updated to align with the renaming of the IoC response actions. The API scheme changes apply to all IoC Types.
 
 > [!NOTE]
-> There is a limit of 15,000 indicators per tenant. Increases to this limit are not supported.
+> There's a limit of 15,000 indicators per tenant. Increases to this limit aren't supported.
 > 
-> File and certificate indicators do not block [exclusions defined for Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). Indicators are not supported in Microsoft Defender Antivirus when it is in passive mode.
+> File and certificate indicators don't block [exclusions defined for Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). Indicators aren't supported in Microsoft Defender Antivirus when it is in passive mode.
 > 
 > The format for importing new indicators (IoCs) has changed according to the new updated actions and alerts settings. We recommend downloading the new CSV format that can be found at the bottom of the import panel.
 >
-> If indicators are synced to the Microsoft Defender portal from Microsoft Defender for Cloud Apps for sanctioned or unsanctioned applications, the `Generate Alert` option is enabled by default in the Microsoft Defender portal. If you try to clear the `Generate Alert` option for Defender for Endpoint, it is re-enabled after some time because the Defender for Cloud Apps policy overrides it.
+If indicators are synced to the Defender portal from Microsoft Defender for Cloud Apps for sanctioned or unsanctioned applications, the settings are overwritten when synced to Microsoft Defender portal. The `Generate Alert` option is enabled by default in the Microsoft Defender portal for unsanctioned applications. If you try to clear the `Generate Alert` option for Defender for Endpoint, it's re-enabled after some time because the Defender for Cloud Apps policy overrides it. Sanctioned or allowed applications the value is set to not `Generate Alert` .
 
 ## Known issues and limitations
 
-Microsoft Store apps cannot be blocked by Microsoft Defender because they're signed by Microsoft.
+Microsoft Store apps can't be blocked by Microsoft Defender because they're signed by Microsoft.
 
 Customers might experience issues with alerts for IoCs. The following scenarios are situations where alerts aren't created or are created with inaccurate information. 
 

defender-endpoint/indicators-overview.md

@@ -33,7 +33,7 @@ Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](
 
 | Build| 1.1.70230101|
 | -------- | -------- |
-| Release Date   |October 30, 2025|
+| Release Date   |October 28, 2025|
 
 **What's New**
 

defender-endpoint/ios-whatsnew.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: install-set-up-deploy
 ms.subservice: linux
 search.appverid: met150
-ms.date: 08/11/2025
+ms.date: 11/03/2025
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux manually
@@ -492,27 +492,7 @@ Download the onboarding package from the [Microsoft Defender portal](https://sec
 
 ## Defender for Endpoint package external package dependencies
 
-The following external package dependencies exist for the `mdatp` package:
-
-- The mdatp RPM package requires `glibc >= 2.17`
-- For DEBIAN the mdatp package requires `libc6 >= 2.23`
-- For Mariner the mdatp package requires `attr`,  `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`
-
-> [!NOTE]
-> Beginning with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
-> If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or lower, the following other dependencies on the auditd package exist for mdatp:
-> - The mdatp RPM package requires `audit`, `semanage`.
-> - For DEBIAN, the mdatp package requires `auditd`.
-> - For Mariner, the mdatp package requires `audit`.
-> For version older than `101.25032.0000`:
-> - RPM package needs: `mde-netfilter`, `pcre`
-> - DEBIAN package needs: `mde-netfilter`, `libpcre3`
-> - The `mde-netfilter` package also has the following package dependencies:
-    - For DEBIAN, the mde-netfilter package requires `libnetfilter-queue1` and `libglib2.0-0`
-    - For RPM, the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, and `glib2`
-> Beginning with version `101.25042.0003`, uuid-runtime is no longer required as an external-dependency.
-
-If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies.
+For information, see [Prerequisites for Microsoft Defender for Endpoint on Linux: External package dependency](./mde-linux-prerequisites.md#external-package-dependency).
 
 ## Troubleshoot installation issues