Merge pull request #1687 from MicrosoftDocs/main

pushing MDE on Linux updates live

Author: denisebmsft

defender-endpoint/microsoft-defender-endpoint-linux.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/21/2024
+ms.date: 10/23/2024
 ---
 
 # Microsoft Defender for Endpoint on Linux
@@ -31,7 +31,7 @@ ms.date: 10/21/2024
 This article describes how to install, configure, update, and use Microsoft Defender for Endpoint on Linux.
 
 > [!CAUTION]
-> Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality to run in [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine).
+> Running other non-Microsoft endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring antivirus functionality to run in [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine).
 
 ## How to install Microsoft Defender for Endpoint on Linux
 
@@ -40,35 +40,35 @@ Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint det
 ### Prerequisites
 
 - Access to the Microsoft Defender portal
+- 
 - Linux distribution using the [systemd](https://systemd.io/)system manager
 
   > [!NOTE]
-  > Linux distribution using system manager, except for RHEL/CentOS 6.x support both SystemV and Upstart.
+  > Linux distribution using system manager, support both SystemV and Upstart.
+
 - Beginner-level experience in Linux and BASH scripting
+- 
 - Administrative privileges on the device (for manual deployment)
 
 > [!NOTE]
 > Microsoft Defender for Endpoint on Linux agent is independent from [OMS agent](/azure/azure-monitor/agents/agents-overview#log-analytics-agent). Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.
 
 ### Installation instructions
 
-There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux.
+There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux. Before you begin, make sure the [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md) are met.
 
-In general you need to take the following steps:
+You can use one of the following methods to deploy Microsoft Defender for Endpoint on Linux:
 
-- Ensure that you have a Microsoft Defender for Endpoint subscription.
-- Deploy Microsoft Defender for Endpoint on Linux using one of the following deployment methods:
-  - The command-line tool:
-    - [Manual deployment](linux-install-manually.md)
-   - Third-party management tools:
-    - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
-    - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)
-      - [Deploy using Chef configuration management tool](linux-deploy-defender-for-endpoint-with-chef.md)
-      - [Deploy using Saltstack configuration management tool](linux-install-with-saltack.md)
-      If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender for Endpoint on Linux](linux-support-install.md).
+- To use command-line tool, see [Manual deployment](linux-install-manually.md)
+- To use Puppet, see [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
+- To use Ansible, see [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)
+- To use Chef, see [Deploy using Chef configuration management tool](linux-deploy-defender-for-endpoint-with-chef.md)
+- To use Saltstack, see [Deploy using Saltstack configuration management tool](linux-install-with-saltack.md)
 
-> [!NOTE]
-> It is not supported to install Microsoft Defender for Endpoint in any other location other than the default install path.
+If you experience any installation failures, see [Troubleshooting installation failures in Microsoft Defender for Endpoint on Linux](linux-support-install.md).
+
+> [!IMPORTANT]
+> Installing Microsoft Defender for Endpoint in any location other than the default install path is not supported.
 > Microsoft Defender for Endpoint on Linux creates an `mdatp` user with random UID and GID. If you want to control the UID and GID, create an `mdatp` user prior to installation using the  `/usr/sbin/nologin` shell option. Here's an example: `mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin`.
 
 ### System requirements
@@ -78,19 +78,18 @@ In general you need to take the following steps:
   > [!NOTE]
   > An additional 2 GB disk space might be needed if cloud diagnostics are enabled for crash collections. Please make sure that you have free disk space in /var.
 
-- Cores: 2 minimum, 4 preferred
+- Cores: Two minimum, four preferred
 
   > [!NOTE]
-  > If you are on Passive or RTP ON mode, 2 Cores are minimum and 4 Cores are preferred. If you are turning on BM, then a minimum of 4 Cores is required.
+  > If you are on Passive or RTP ON mode, at least two Cores are required. Four Cores are preferred. If you are turning on BM, then at least four Cores are required.
 
-- Memory: 1 GB minimum, 4 preferred
+- Memory: 1 GB minimum, 4 GB preferred
 
-- List of supported Linux server distributions and x64 (AMD64/EM64T) and x86_64 versions:
+- The following Linux server distributions and x64 (AMD64/EM64T) and x86_64 versions are supported:
   - Red Hat Enterprise Linux 6.7 or higher (In preview)
   - Red Hat Enterprise Linux 7.2 or higher
   - Red Hat Enterprise Linux 8.x
   - Red Hat Enterprise Linux 9.x
-  - CentOS 6.7 or higher (In preview)
   - CentOS 7.2 or higher
   - Ubuntu 16.04 LTS 
   - Ubuntu 18.04 LTS
@@ -121,7 +120,7 @@ In general you need to take the following steps:
   > [!CAUTION]
   > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. If there are any other applications on the system that use `fanotify` in blocking mode, applications are listed in the `conflicting_applications` field of the `mdatp health` command output. The Linux **FAPolicyD** feature uses `fanotify` in blocking mode, and is therefore unsupported when running Defender for Endpoint in active mode. You can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality Real Time Protection Enabled to [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine).
 
-- List of supported filesystems for RTP, Quick, Full and Custom Scan.
+- List of supported filesystems for RTP, Quick, Full, and Custom Scan.
 
    |RTP, Quick, Full Scan| Custom Scan|
    |---|---|
@@ -142,7 +141,7 @@ In general you need to take the following steps:
    |`vfat`||
    |`xfs`||
 
-- Audit framework (`auditd`) must be enabled if you are using auditd as your primary event provider.
+- Audit framework (`auditd`) must be enabled if you're using auditd as your primary event provider.
 
   > [!NOTE]
   > System events captured by rules added to `/etc/audit/rules.d/` will add to `audit.log`(s) and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endpoint on Linux will be tagged with `mdatp` key.
@@ -151,7 +150,7 @@ In general you need to take the following steps:
 
 ### External package dependency
 
-If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies. The following external package dependencies exist for the mdatp package:
+If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies. The following external package dependencies exist for the mdatp package:
 
 - The mdatp RPM package requires `glibc >= 2.17`, `audit`, `policycoreutils`, `semanage` `selinux-policy-targeted`, and `mde-netfilter`
 - For RHEL6 the mdatp RPM package requires `audit`, `policycoreutils`, `libselinux`, and `mde-netfilter`
@@ -168,14 +167,14 @@ When adding exclusions to Microsoft Defender Antivirus, you should be mindful of
 
 ### Network connections
 
-Ensure that connectivity is possible from your devices to Microsoft Defender for Endpoint cloud services. To prepare your environment, please reference [STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md).
+Ensure that connectivity is possible from your devices to Microsoft Defender for Endpoint cloud services. To prepare your environment, see [STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md).
 
 Defender for Endpoint on Linux can connect through a proxy server by using the following discovery methods:
 
 - Transparent proxy
 - Manual static proxy configuration
 
-If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Defender for Endpoint. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
+If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no another configuration is needed for Defender for Endpoint. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
 
 > [!WARNING]
 > PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
@@ -193,7 +192,7 @@ Guidance for how to configure the product in enterprise environments is availabl
 
 ## Common Applications to Microsoft Defender for Endpoint can impact
 
-High I/O workloads from certain applications can experience performance issues when Microsoft Defender for Endpoint is installed. These include applications for developer scenarios like Jenkins and Jira, and database workloads like OracleDB and Postgres. If experiencing performance degradation, consider setting exclusions for trusted applications, keeping [Common Exclusion Mistakes for Microsoft Defender Antivirus](common-exclusion-mistakes-microsoft-defender-antivirus.md) in mind. For additional guidance, consider consulting documentation regarding antivirus exclusions from third party applications.
+High I/O workloads from certain applications can experience performance issues when Microsoft Defender for Endpoint is installed. Such applications for developer scenarios include Jenkins and Jira, and database workloads like OracleDB and Postgres. If experiencing performance degradation, consider setting exclusions for trusted applications, keeping [Common Exclusion Mistakes for Microsoft Defender Antivirus](common-exclusion-mistakes-microsoft-defender-antivirus.md) in mind. For more guidance, consider consulting documentation regarding antivirus exclusions from non-Microsoft applications.
 
 ## Resources
 
@@ -202,9 +201,7 @@ High I/O workloads from certain applications can experience performance issues w
 ## Related articles
 
 - [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/defender-for-cloud/integration-defender-for-endpoint)
-
 - [Connect your non-Azure machines to Microsoft Defender for Cloud](/azure/defender-for-cloud/quickstart-onboard-machines)
-
 - [Turn on network protection for Linux](network-protection-linux.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-office-365/air-about.md

@@ -7,7 +7,7 @@ ms.author: chrisda
 manager: deniseb
 audience: ITPro
 ms.topic: conceptual
-ms.date: 06/09/2023
+ms.date: 10/22/2024
 ms.localizationpriority: medium
 search.appverid:
 - MET150
@@ -79,7 +79,9 @@ In addition, make sure to review your organization's [alert policies](alert-poli
 
 ## Which alert policies trigger automated investigations?
 
-Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](/purview/alert-policies#default-alert-policies) can trigger automated investigations. The following table describes the alerts that trigger automated investigations, their severity in the Microsoft Defender portal, and how they're generated:
+Microsoft 365 provides many built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Several of the [default alert policies](/purview/alert-policies#default-alert-policies) can trigger automated investigations. If these alerts are disabled or replaced by custom alerts, AIR isn't triggered. 
+
+The following table describes the alerts that trigger automated investigations, their severity in the Microsoft Defender portal, and how they're generated:
 
 |Alert|Severity|How the alert is generated|
 |---|---|---|

defender-office-365/attack-simulation-training-faq.md

@@ -256,7 +256,10 @@ A: Several options are available to target users:
 - Include all users (currently available to organizations with less than 40,000 users).
 - Choose specific users.
 - Select users from a CSV file (one email address per line).
-- Microsoft Entra group-based targeting.
+- Microsoft Entra group-based targeting. The following group types are supported:
+  - Microsoft 365 Groups (static and dynamic)
+  - Distribution groups (static only)
+  - Mail-enabled security groups (static only)
 
 We find that campaigns where the targeted users are identified by Microsoft Entra groups are easier to manage.
 
@@ -282,7 +285,7 @@ Managing a large CSV file or adding many individual recipients can be cumbersome
 > [!TIP]
 > Currently, shared mailboxes aren't supported in Attack simulation training. Simulations should target user mailboxes or groups containing user mailboxes.
 >
-> Distribution groups are expanded and the list of users is generated at the time of saving the simulation or simulation automation.
+> Groups are expanded and the list of users is generated at the time of saving the simulation, simulation automation, or training campaign.
 
 ### Q: Are the limits for the number of simulations that can be deployed during a specific time interval?
 

defender-office-365/attack-simulation-training-simulation-automations.md

@@ -12,7 +12,7 @@ ms.collection:
   - tier2
 description: Admins can learn how to create automated simulations that contain specific techniques and payloads that launch when the specified conditions are met in Microsoft Defender for Office 365 Plan 2.
 search.appverid: met150
-ms.date: 08/26/2024
+ms.date: 10/23/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 2</a>
 ---
@@ -191,7 +191,12 @@ On the **Target users** page, select who receives the simulation. Use the follow
 
 - **Include only specific users and groups**: At first, no users or groups are shown on the **Targeted users** page. To add users or groups to the simulation, choose one of the following options:
 
-  - :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **Add users**: In the **Add users** flyout that opens, you find and select users and groups to receive the simulation. **Dynamic distribution groups are not supported**. The following search tools are available:
+  - :::image type="icon" source="media/m365-cc-sc-create-icon.png" border="false"::: **Add users**: In the **Add users** flyout that opens, you find and select users and groups to receive the simulation. The following group types are supported:
+    - Microsoft 365 Groups (static and dynamic)
+    - Distribution groups (static only)
+    - Mail-enabled Security groups (static only)
+
+    The following search tools are available:
 
     - **Search for users or groups**: If you click in the :::image type="icon" source="media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
       - Type three or more characters and then press the ENTER key. Any users or group names that contain those characters are shown in the **User list** section by **Name** and **Email**.