Merge branch 'main' into siosulli-patch-1

Author: denisebmsft

defender-endpoint/android-configure-mam.md

@@ -14,7 +14,7 @@ ms.collection:
 - mde-android
 ms.topic: conceptual
 ms.subservice: android
-ms.date: 07/25/2024
+ms.date: 08/08/2024
 ---
 
 # Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM)
@@ -124,14 +124,14 @@ End users also need to take steps to install Microsoft Defender for Endpoint on
 
 1. Sign in to a managed application, for example, Outlook. The device is registered and the application protection policy is synchronized to the device. The application protection policy recognizes the device's health state.
 
-2. Select **Continue**. A screen is presented which recommends downloading and setting up of Microsoft Defender for Endpoint on Android app.
+2. Select **Continue**. A screen is presented which recommends downloading and setting up of the Microsoft Defender: Antivirus (Mobile) app.
 
 3. Select **Download**. You'll be redirected to the app store (Google play).
 
-4. Install the Microsoft Defender for Endpoint (Mobile) app and launch back Managed app onboarding screen.
-
-   :::image type="content" source="media/download-mde.png" alt-text="The illustrative pages that contain the procedure of downloading MDE and launching back the app-onboarding screen." lightbox="media/download-mde.png":::
+4. Install the Microsoft Defender: Antivirus (Mobile) app and go back to the managed app onboarding screen.
 
+    :::image type="content" source="media/mam-flow.png" alt-text="Shows the procedure of downloading Microsoft Defender: Antivirus (Mobile) app." lightbox="media/mam-flow.png":::
+   
 5. Click **Continue > Launch**. The Microsoft Defender for Endpoint app onboarding/activation flow is initiated. Follow the steps to complete onboarding. You'll automatically be redirected back to Managed app onboarding screen, which now indicates that the device is healthy.
 
 6. Select **Continue** to log into the managed application.

defender-endpoint/media/mam-flow.png

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: edr
 search.appverid: met150
-ms.date: 08/01/2024
+ms.date: 08/13/2024
 ---
 
 # Collect support logs in Microsoft Defender for Endpoint using live response
@@ -55,7 +55,7 @@ This article provides instructions on how to run the tool via Live Response on W
 
    ```console
    Run MDELiveAnalyzer.ps1
-   GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
+   GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDECA\MDEClientAnalyzerResult.zip"
    ```
 
    [![Image of commands.](media/analyzer-commands.png)](media/analyzer-commands.png#lightbox)

defender-endpoint/troubleshoot-collect-support-log.md

@@ -41,7 +41,7 @@ For more information on what's new with other Microsoft Defender security produc
 
 ## July 2024
 
-- **Tenant Allow/Block List in Microsoft 365 GCC, GCC High, DoD and and Office 365 operated by 21Vianet environments**: The [Tenant Allow/Block List](tenant-allow-block-list-about.md) is now available these environments. They are on parity with the WW commercial experiences.
+- **Tenant Allow/Block List in Microsoft 365 GCC, GCC High, DoD, and Office 365 operated by 21Vianet environments**: The [Tenant Allow/Block List](tenant-allow-block-list-about.md) is now available these environments. They are on parity with the WW commercial experiences.
 
 - **45 days after last used date**: The value **Remove allow entry after** \> **45 days after last used date** is now the default on new allow entries from submissions and existing allow entries in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). The allow entry is triggered and the **LastUsedDate** property is updated when the entity is encountered and identified as malicious during mail flow or at time of click. After the filtering system determines that the entity is clean, the allow entry is automatically removed after 45 days. By default, allow entries for spoofed senders never expire.
 
@@ -51,14 +51,14 @@ For more information on what's new with other Microsoft Defender security produc
 
 ## May 2024
 
-- **Top level domain and subdomain blocking in Tenant Allow/Block List**: You will be able to create block entries under domains & email addresses, using the format `*.TLD`, where `TLD` can be any top-level domain or `*.SD1.TLD, *.SD2.SD1.TLD`, `*.SD3.SD2.SD1.TLD`, and similar patterns for subdomain blocking. The entries block all email received from or sent to any email addresses in the domain or subdomain during mail flow.
+- **Top level domain and subdomain blocking in Tenant Allow/Block List**: You can create block entries under domains & email addresses, using the format `*.TLD`, where `TLD` can be any top-level domain or `*.SD1.TLD, *.SD2.SD1.TLD`, `*.SD3.SD2.SD1.TLD`, and similar patterns for subdomain blocking. The entries block all email received from or sent to any email addresses in the domain or subdomain during mail flow.
 
 - **Automated end user feedback**: The user submission automatic feedback response capability in Microsoft Defender for Office 365 enables organizations to automatically respond to end user submissions of phishing based on the verdict from the automated investigation. [Learn more](air-user-automatic-feedback-response.md).
 
-- We are introducing **Sender's copy clean-up features** in Threat Explorer, email entity, Summary Panel, and Advanced hunting. These new features will streamline the process of managing Sent items, particularly for admins who use the actions **Move to mailbox folder** \> **Soft delete** and **Move to mailbox folder** \> **Inbox**. For more information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard). Key highlights:
-- Integration with Soft delete: Sender's copy clean-up will be incorporated as part of the Soft delete action.
-  - Wide support: This action will be supported across various Defender XDR platforms including Threat Explorer, Take Action wizard from the email entity, Summary Panel, Advanced hunting, and through Microsoft Graph API.
-  - Undo capability: An undo action will be available, allowing you to reverse the clean-up by moving items back to the Sent folder.
+- We're introducing **Sender's copy clean-up features** in Threat Explorer, email entity, Summary Panel, and Advanced hunting. These new features streamline the process of managing Sent items, particularly for admins who use the actions **Move to mailbox folder** \> **Soft delete** and **Move to mailbox folder** \> **Inbox**. For more information, see [Threat hunting: The Take action wizard](threat-explorer-threat-hunting.md#the-take-action-wizard). Key highlights:
+- Integration with Soft delete: Sender's copy clean-up is incorporated as part of the Soft delete action.
+  - Wide support: This action is supported across various Defender XDR platforms including Threat Explorer, Take Action wizard from the email entity, Summary Panel, Advanced hunting, and through Microsoft Graph API.
+  - Undo capability: An undo action is available, allowing you to reverse the clean-up by moving items back to the Sent folder.
 
 ## April 2024
 
@@ -192,7 +192,7 @@ For more information on what's new with other Microsoft Defender security produc
       - From Office 365 Security & Compliance Center URL: scc.protection.apps.mil
       - To Microsoft Defender XDR URL: security.apps.mil
 - Items in the Office 365 Security & Compliance Center that aren't related to security aren't redirected to Microsoft Defender XDR. For compliance solutions redirection to Microsoft 365 Compliance Center, see Message Center post 244886.
-- This change is a continuation of [Microsoft Defender XDR delivers unified XDR experience to GCC, GCC High and DoD customers - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-365-defender-delivers-unified-xdr-experience-to-gcc/ba-p/3263702), announced in March 2022.
+- This change is a continuation of [Microsoft Defender XDR delivers unified XDR experience to GCC, GCC High, and DoD customers - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/public-sector-blog/microsoft-365-defender-delivers-unified-xdr-experience-to-gcc/ba-p/3263702), announced in March 2022.
 - This change enables users to view and manage additional Microsoft Defender XDR security solutions in one portal.
 - This change impacts all customers who use the Office 365 Security & Compliance Center (protection.office.com), including Microsoft Defender for Office (Plan 1 or Plan 2), Microsoft 365 E3 / E5, Office 365 E3/ E5, and Exchange Online Protection. For the full list, see [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance)
 - This change impacts all users who sign in to the Office 365 Security and Compliance portal (protection.office.com), including security teams and end-users who access the Email Quarantine experience, at the **Microsoft Defender Portal** \> **Review** \> **Quarantine**.
@@ -258,7 +258,7 @@ For more information on what's new with other Microsoft Defender security produc
 ## August 2021
 
 - [Admin review for reported messages](submissions-admin-review-user-reported-messages.md): Admins can now send templated messages back to end users after they review reported messages. The templates can be customized for your organization and based on your admin's verdict as well.
-- You can now add allow entries to the Tenant Allow/Block List if the blocked message was submitted as part of the admin submission process. Depending on the nature of the block, the submitted URL, file, and/or sender allow will be added to the Tenant Allow/Block List. In most cases, the allows are added to give the system some time and allow it naturally if warranted. In some cases, Microsoft manages the allow for you. For more information, see:
+- You can now add allow entries to the Tenant Allow/Block List if the blocked message was submitted as part of the admin submission process. Depending on the nature of the block, the submitted URL, file, and/or sender allow entries are added to the Tenant Allow/Block List. In most cases, the allows are added to give the system some time and allow it naturally, if warranted. In some cases, Microsoft manages the allow for you. For more information, see:
   - [Report good URLs to Microsoft](submissions-admin.md#report-good-urls-to-microsoft)
   - [Report good email attachments to Microsoft](submissions-admin.md#report-good-email-attachments-to-microsoft)
   - [Report good email to Microsoft](submissions-admin.md#report-good-email-to-microsoft)
@@ -289,7 +289,7 @@ For more information on what's new with other Microsoft Defender security produc
 
 - [Email entity page](mdo-email-entity-page.md): A unified 360-degree view of an email with enriched information around threats, authentication and detections, detonation details, and a brand-new email preview experience.
 - [Office 365 Management API](/office/office-365-management-api/office-365-management-activity-api-schema#email-message-events): Updates to EmailEvents (RecordType 28) to add delivery action, original and latest delivery locations, and updated detection details.
-- [Threat Analytics for Defender for Office 365](/defender-xdr/threat-analytics): View active threat actors, popular techniques and attack surfaces, along with extensive reporting from Microsoft researchers around ongoing campaigns.
+- [Threat Analytics for Defender for Office 365](/defender-xdr/threat-analytics): View active threat actors, popular techniques, and attack surfaces, along with extensive reporting from Microsoft researchers around ongoing campaigns.
 
 ## February/March 2021
 

defender-office-365/defender-for-office-365-whats-new.md

@@ -61,7 +61,7 @@ Safe Links protection by Safe Links policies is available in the following locat
   >
   > Safe Links supports only HTTP(S) and FTP formats.
   >
-  > Safe Links no longer wraps URLs pointing to SharePoint sites. SharePoint URLs are still processed by the Safe Links service. This change doesn't cause a degradation in the protection a tenant receives. It's intended to improve the performance of loading SharePoint URLs.
+  > Safe Links no longer wraps URLs pointing to SharePoint Online sites. SharePoint URLs are still processed by the Safe Links service. This change doesn't cause a degradation in the protection a tenant receives. It's intended to improve the performance of loading SharePoint URLs.
   >
   > Using another service to wrap links before Defender for Office 365 might prevent Safe Links from process links, including wrapping, detonating, or otherwise validating the "maliciousness" of the link.
 

defender-office-365/safe-links-about.md

@@ -95,7 +95,7 @@ For other ways that **admins** can report messages to Microsoft in the Defender
    - **Select the submission type**: Verify the value **Email** is selected.
 
    - **Add the network message ID or upload the email file**: Select one of the following options:
-     - **Add the email network message ID**: The GUID value is available in the **X-MS-Exchange-Organization-Network-Message-Id** header in the message or in the **X-MS-Office365-Filtering-Correlation-Id** header in quarantined messages.
+     - **Add the email network message ID**: The GUID value is available in the **X-MS-Exchange-Organization-Network-Message-Id** header or in the **X-MS-Office365-Filtering-Correlation-Id** header in messages.
      - **Upload the email file (.msg or .eml)**: Select **Browse files**. In the dialog that opens, find and select the .eml or .msg file, and then select **Open**.
 
    - **Choose at least one recipient who had an issue**: Specify the recipients to run a policy check against. The policy check determines if the email bypassed scanning due to user or organization policies or override.

defender-office-365/submissions-admin.md

@@ -3,7 +3,7 @@ title: Accessing incident notifications and DENs using Graph security API
 ms.reviewer:
 description: The method to access Defender Experts Notifications using Graph security API
 ms.service: defender-experts
-ms.subservice: dex-xdr
+ms.subservice: dex-hunting
 ms.author: vpattnaik
 author: vpattnai
 ms.localizationpriority: medium
@@ -15,7 +15,7 @@ ms.collection:
   - essentials-overview
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 04/29/2024
+ms.date: 08/14/2024
 ---
 
 # Access incident notifications using Graph API

defender-xdr/access-den-graph-api.md

@@ -3,6 +3,7 @@ title: Key infrastructure requirements before enrolling in the Microsoft Defende
 ms.reviewer:
 description: This section outlines the key infrastructure requirements you must meet and important information on data access and compliance
 ms.service: defender-experts
+ms.subservice: dex-hunting
 ms.author: vpattnaik
 author: vpattnai
 ms.localizationpriority: medium
@@ -14,7 +15,7 @@ ms.collection:
   - tier1
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 06/19/2024
+ms.date: 08/14/2024
 ---
 
 # Before you begin using Defender Experts for Hunting

defender-xdr/before-you-begin-defender-experts.md

@@ -3,20 +3,20 @@ title: Manage the deception capability in Microsoft Defender XDR
 description: Detect human-operated attacks with lateral movement in the early stages using high confidence signals from the deception feature in Microsoft Defender XDR.
 ms.service: defender-xdr
 f1.keywords: 
-  - NOCSH
+- NOCSH
 ms.author: diannegali
 author: diannegali
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: 
-  - m365-security
-  - tier1
+- m365-security
+- tier1
 ms.topic: conceptual
 search.appverid: 
-  - MOE150
-  - MET150
-ms.date: 08/08/2024
+- MOE150
+- MET150
+ms.date: 08/14/2024
 ---
 
 # Manage the deception capability in Microsoft Defender XDR
@@ -79,7 +79,7 @@ There are two types of lures available in the deception feature:
 
 You can specify decoys, lures, and the scope in a deception rule. See [Configure the deception feature](configure-deception.md) to learn more about how to create and modify deception rules.  
 
-When an attacker uses a decoy or a lure on any Defender for Endpoint-onboarded client, the deception capability triggers an alert that indicates possible attacker activity, regardless of whether deception was deployed on the client or not.
+When an attacker uses a decoy on any Defender for Endpoint-onboarded client, the deception capability triggers an alert that indicates possible attacker activity, regardless of whether deception was deployed on the client or not.
 
 ## Identify incidents and alerts activated by deception
 

defender-xdr/deception-overview.md

@@ -3,6 +3,7 @@ title: What is Microsoft Defender Experts for Hunting offering
 ms.reviewer:
 description: Microsoft  Defender Experts for Hunting is a proactive threat hunting service that goes beyond the endpoint to hunt across endpoints
 ms.service: defender-experts
+ms.subservice: dex-hunting
 ms.author: vpattnaik
 author: vpattnai
 ms.localizationpriority: medium