Merge branch 'main' of https://github.com/MicrosoftDocs/defender-docs-pr into yelevin/rename-link-to-move

Author: yelevin

defender-endpoint/evaluate-exploit-protection.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 11/21/2024
+ms.date: 02/03/2025
 ---
 
 # Evaluate exploit protection
@@ -89,6 +89,8 @@ For Adobe Reader use the following ASR rule:
 
 •	[Block Adobe Reader from creating child processes](attack-surface-reduction-rules-reference.md#block-adobe-reader-from-creating-child-processes)
 
+[Google Chrome ](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/faq.md#Can-I-use-EMET-to-help-protect-Chrome-against-attack-on-Microsoft-Windows)no longer recommends enabling Exploit Protection (EMET) because it's redundant or superseded with built-in attack mitigations.
+
 ## Application compatibility list
 
 The following table lists specific products that have compatibility issues with the mitigations that are included in exploit protection. You must disable specific incompatible mitigations if you want to protect the product by using exploit protection. Be aware that this list takes into consideration the default settings for the latest versions of the product.  Compatibility issues can introduced when you apply certain add-ins or other components to the standard software.
@@ -102,7 +104,7 @@ The following table lists specific products that have compatibility issues with
 | Certain AMD (ATI) video drivers   | System ASLR=AlwaysOn   |
 | DropBox   | EAF  |
 | Excel Power Query, Power View, Power Map and PowerPivot   | EAF  |
-| Google Chrome   | EAF+   |
+| Google Chrome   ([no longer recommended](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/faq.md#Can-I-use-EMET-to-help-protect-Chrome-against-attack-on-Microsoft-Windows))| EAF+   |
 | Immidio Flex+   | EAF   |
 | Microsoft Office Web Components (OWC)   | System DEP=AlwaysOn  |
 | Microsoft PowerPoint   | EAF   |

defender-endpoint/exploit-protection-reference.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 - mde-asr
-ms.date: 11/15/2024
+ms.date: 02/03/2025
 search.appverid: met150
 ---
 
@@ -439,6 +439,8 @@ Hardware-enforced stack protection offers robust protection against ROP exploits
 
 Hardware-enforced stack protection only works on chipsets with support for hardware shadow stacks, Intel's Control-flow Enforcement Technology (CET) or AMD shadow stacks.
 
+If you're running applications based on the .Net Framework, hardware-enforced stack protection is compatible with .Net Framework 7 (opt-in), or newer.  If you're using an application with an older version (earlier than .Net Framework 7), expect stability issues (crashes or hangs) and/or performance issues (high cpu or memory leaks). These stability issues could also occur when either in audit mode and/or when targeting only compatible modules.
+
 ### Configuration options
 
 **Audit only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](/defender-xdr/advanced-hunting-overview).

defender-endpoint/linux-support-perf.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 01/06/2025
+ms.date: 02/04/2025
 ms.custom: 
 - partner-contribution
 ---
@@ -262,7 +262,7 @@ sudo mdatp diagnostic create
 
 - [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux](linux-support-connectivity.md#run-the-connectivity-test)
 
-- [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md#troubleshoot-performance-issues-using-microsoft-defender-for-endpoint-client-analyzer)
+- [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md)
 
 ## Related articles
 

defender-endpoint/mde-linux-deployment-on-sap.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: edr
 search.appverid: met150
-ms.date: 11/18/2024
+ms.date: 02/03/2025
 ---
 
 # Collect support logs in Microsoft Defender for Endpoint using live response
@@ -69,14 +69,6 @@ This article provides instructions on how to run the tool via Live Response on W
 
 - The latest preview version of MDEClientAnalyzer can be downloaded here: <https://aka.ms/MDEClientAnalyzerPreview>.
 
-- If you can't allow the machine to reach the above URL, then upload `MDEClientAnalyzerPreview.zip` file to the library before running the LiveAnalyzer script:
-
-   ```console
-   PutFile MDEClientAnalyzerPreview.zip -overwrite
-   Run MDELiveAnalyzer.ps1
-   GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDECA\MDEClientAnalyzerResult.zip"
-   ```
-
 - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or doesn't appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](verify-connectivity.md).
 
 - As described in [Live response command examples](live-response-command-examples.md), you might want to use the `&` symbol at the end of the command to collect logs as a background action:

defender-endpoint/troubleshoot-collect-support-log.md

@@ -51,11 +51,23 @@ The following tables present the relevant vulnerability information organized by
 | - | Defender Vulnerability Management doesn't currently support Nvidia Cuda Pilot | 20-Jan-25 |
 | - | Fixed inaccuracy in Mattermost Desktop vulnerability- CVE-2024-39613 | 21-Jan-25 |
 | - | Added Microsoft Defender Vulnerability Management support to BeyondTrust Privileged Remote Access | 21-Jan-25 |
-| - | Fixed inaccuracy in BeyondTrust Remote Support | 21-Jan-25 |
 | - | Fixed vulnerability detection in InfluxDB | 22-Jan-25 |
+| - | Fixed inaccuracy in BeyondTrust Remote Support | 22-Jan-25 |
 | 68411 | Fixed inaccurate detections in WebM Project libwebp by excluding razer file path | 22-Jan-25 |
 | 77999 | Defender Vulnerability Management doesn't currently support these four ESET vulnerabilities: <br/>- CVE-2020-11446<br/>- CVE-2023-5594<br/>- CVE-2023-3160<br/>- CVE-2024-7400 | 22-Jan-25 |
-
+| - | Updated existing normalization rule for Adobe Acrobat Reader to detect raw names with 'neopackage'| 22-Jan-25 |
+| 70377 | Fixed incorrect detections in Microsoft Teams by excluding incorrect Raw Product Names Vida | 22-Jan-25 |
+| 74420 | Fixed incorrect detections in Toggl Track by excluding incorrect Raw Product Names WeChat | 22-Jan-25 |
+| 75694 | Fixed incorrect detections in McAfee by excluding incorrect Raw Product Names Drive Encryption | 22-Jan-25 |
+| 71402 | Fixed incorrect detections in Smoothwall by excluding incorrect Raw Product Names Smoothwall Unified Client | 22-Jan-25 |
+| 76607 | Fixed inaccuracy in Dell BeyondCompare by excluding incorrect Raw Product Names Scooter Software | 22-Jan-25 |
+| - | Added normalization rule for Microsoft Visual Studio 2015 to improve detection logic | 22-Jan-25 |
+| 79328 | Fixed incorrect detections in Microsoft Monitoring Agent by excluding incorrect Raw Product Names MDOP MBAM | 22-Jan-25 |
+| 83419 | Added Microsoft Defender Vulnerability Management support to Sinclair MakeMeAdmin | 22-Jan-25 |
+| 84540 | Fixed incorrect detections in Apple Xcode by excluding incorrect Raw Product Names ProtoPie and RocketSim | 22-Jan-25 |
+| - | Fixed incorrect detections in Apache Tomcat by excluding incorrect Raw Product Names Commons Logging | 22-Jan-25 |
+| 61679 | Defender Vulnerability Management doesn't currently support ESRI portal for Arcgis | 22-Jan-25 |
+| - | Defender Vulnerability Management doesn't currently support Citrix Virtual Apps & Desktops | 22-Jan-25 |
 
 ## November 2024
 
@@ -72,8 +84,6 @@ The following tables present the relevant vulnerability information organized by
 | Inaccuracy report ID | Description | Fix date |
 |---|---|---|
 | - | Fixed inaccuracy in Microsoft LibDB & NSS vulnerabilities | 03-Oct-24 |
-| 70377 | Fixed incorrect detections in Microsoft Teams by excluding Vida from the Teams normalization rule | 09-Oct-24 |
-| 74420 | Fixed incorrect detections in Toggl Track by excluding WeChat from the Toggl Track normalization rule | 09-Oct-24 |
 | 76607 | Fixed inaccuracy in Scooter Software | 09-Oct-24 |
 | 71665 | Fixed inaccuracy in Hoppscotch vulnerabilities - CVE-2023-34097 & CVE-2024-27092 | 29-Oct-24 |
 | 74054 | Fixed inaccuracy in Acronis vulnerability - CVE-2022-45449 | 29-Oct-24 |

defender-vulnerability-management/fixed-reported-inaccuracies.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 01/10/2025
+ms.date: 01/27/2025
 appliesto: 
 - Microsoft Defender XDR 
 - Microsoft Sentinel in the Microsoft Defender portal
@@ -107,7 +107,7 @@ The **Filters** list above the list of incidents shows the currently applied fil
 
 From the default incident queue, you can select **Add filter** to see the **Add filter** drop-down, from which you specify filters to apply to the incidents queue to limit the set of incidents shown. Here's an example.
 
-:::image type="content" source="/defender/media/incidents-queue/fig1-newfilters.png" alt-text="The Filters pane for the incident queue in the Microsoft Defender portal.":::
+:::image type="content" source="/defender/media/incidents-queue/incidents-all-filters.png" alt-text="The Filters pane for the incident queue in the Microsoft Defender portal.":::
 
 Select the filters you want to use, then select **Add** at the bottom of the list to make them available.
 
@@ -134,8 +134,9 @@ This table lists the filter names that are available.
 | **Classification** | Specify the set of classifications of the related alerts. |
 | **Automated investigation state** | Specify the status of automated investigation.  |
 | **Associated threat** | Specify a named threat.  |
-| **Alert policies** | Specify an alert policy title.  |
-| **Alert subscription IDs** | Specify an alert  based on a subscription ID.  |
+| **Policy/policy rule** | Filter incidents based on policy or policy rule.  |
+| **Product names** | Filter incidents based on product name.  |
+| **Data stream** | Filter incidents based on the location or workload.  |
 
 > [!NOTE]
 > If you have provisioned access to Microsoft Purview Insider Risk Management, you can view and manage insider risk management alerts and hunt for insider risk management events in the Microsoft Defender portal. For more information, see [Investigate insider risk threats in the Microsoft Defender portal](irm-investigate-alerts-defender.md).

defender-xdr/incident-queue.md

@@ -16,19 +16,17 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 search.appverid:
-- MOE150
-- met150
-ms.date: 01/17/2025
+  - MOE150
+  - met150
+ms.date: 1/27/2025
+appliesto:
+- Microsoft Defender XDR
 ---
 
 # Investigate alerts in Microsoft Defender XDR
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 
-**Applies to:**
-
-- Microsoft Defender XDR
-
 > [!NOTE]
 > This article describes security alerts in Microsoft Defender XDR. However, you can use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. For more information, see [Create activity alerts - Microsoft Purview | Microsoft Docs](/Microsoft-365/compliance/create-activity-alerts).
 
@@ -38,15 +36,15 @@ In Microsoft Defender XDR, related alerts are aggregated together to form [incid
 
 The **Alerts queue** shows the current set of alerts. You get to the alerts queue from **Incidents & alerts > Alerts** on the quick launch of the [Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139).
 
-:::image type="content" source="/defender/media/investigate-alerts/alerts-ss-alerts-queue.png" alt-text="The Alerts section in the Microsoft Defender portal" lightbox="/defender/media/investigate-alerts/alerts-ss-alerts-queue.png":::
+:::image type="content" source="/defender/media/investigate-alerts/alerts-page-defender-small.png" alt-text="The Alerts section in the Microsoft Defender portal" lightbox="/defender/media/investigate-alerts/alerts-page-defender.png":::
 
 Alerts from different Microsoft security solutions like Microsoft Defender for Endpoint, Defender for Office 365, Microsoft Sentinel, Defender for Cloud, Defender for Identity, Defender for Cloud Apps, Defender XDR, App Governance, Microsoft Entra ID Protection, and Microsoft Data Loss Prevention appear here.
 
 By default, the alerts queue in the Microsoft Defender portal displays the new and in progress alerts from the last seven days. The most recent alert is at the top of the list so you can see it first.
 
-From the default alerts queue, you can select **Filter** to see a **Filter** pane, from which you can specify a subset of the alerts. Here's an example.
+From the default alerts queue, you can select **Filter** to see all available filters from which you can specify a subset of the alerts. Here's an example.
 
-:::image type="content" source="/defender/media/investigate-alerts/alerts-ss-alerts-filter.png" alt-text="The Filters section in the Microsoft Defender portal." lightbox="/defender/media/investigate-alerts/alerts-ss-alerts-filter.png":::
+:::image type="content" source="/defender/media/investigate-alerts/alerts-all-filters.png" alt-text="All the filters available in the Alerts queue in the Microsoft Defender portal":::
 
 You can filter alerts according to these criteria:
 
@@ -55,10 +53,12 @@ You can filter alerts according to these criteria:
 - Categories
 - Service/detection sources
 - Tags
-- Policy
+- Policy/Policy rule
+- Alert type
+- Product name
 - Entities (the impacted assets)
 - Automated investigation state
-- Alert subscription IDs
+- Data stream (workload or location)
 
 > [!NOTE]
 > Microsoft Defender XDR customers can now filter incidents with alerts where a compromised device communicated with operational technology (OT) devices connected to the enterprise network through the [device discovery integration of Microsoft Defender for IoT and Microsoft Defender for Endpoint](/defender-endpoint/device-discovery#device-discovery-integration). To filter these incidents, select **Any** in the Service/detection sources, then select **Microsoft Defender for IoT** in the Product name or see [Investigate incidents and alerts in Microsoft Defender for IoT in the Defender portal](/defender-for-iot/investigate-threats/). You can also use device groups to filter for site-specific alerts. For more information about Defender for IoT prerequisites, see [Get started with enterprise IoT monitoring in Microsoft Defender XDR](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/).
@@ -73,6 +73,17 @@ An alert can have system tags and/or custom tags with certain color backgrounds.
 > [!TIP]
 > Microsoft's Security Exposure Management, based on predefined classifications, automatically tags devices, identities, and cloud resources as a **critical asset**. This out-of-the-box capability ensures the protection of an organization's valuable and most important assets. It also helps security operations teams to prioritize investigation and remediation. Know more about [critical asset management](/security-exposure-management/critical-asset-management).
 
+> [!IMPORTANT]
+> Some information in this article relates to a prereleased product, which may be substantially modified before it’s commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here.
+
+You can search for alerts using a custom date and time range or by using the search bar to search for specific alerts. To search for alerts within a specific date or time range, select **Custom range** in the date picker and then specify the start and end dates and times.
+
+:::image type="content" source="/defender/media/investigate-alerts/alerts-custom-range.png" alt-text="Highlighting the custom range option in the date and time picker in the Alerts queue.":::
+
+To search for specific alerts, enter the search term in the search bar. You can search for alerts based on the alert title or alert ID.
+
+:::image type="content" source="/defender/media/investigate-alerts/alerts-search-bar-small.png" alt-text="Highlighting the search bar in the Alerts queue" lightbox="/defender/media/investigate-alerts/alerts-search-bar.png":::
+
 ## Required roles for Defender for Office 365 alerts
 
 You'll need to have any of the following roles to access Microsoft Defender for Office 365 alerts:

defender-xdr/investigate-alerts.md

@@ -16,7 +16,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 07/18/2024
+ms.date: 02/04/2025
 appliesto:
 - Microsoft Defender XDR
 ---
@@ -31,7 +31,7 @@ Learn about licensing and other requirements for provisioning and using [Microso
 
 Microsoft Defender XDR natively correlates Microsoft security products' signals, providing security operations teams a single pane of glass to detect, investigate, respond, and protect your assets. These signals are dependent on the license that you have and the access provisioned to you.
 
-Any of the these licenses gives you access to Microsoft Defender XDR features via the Microsoft Defender portal without additional cost:
+Any of these licenses give you access to Microsoft Defender XDR features via the Microsoft Defender portal without any additional cost:
 
 - Microsoft 365 E5 or A5
 - Microsoft 365 E3 with the Microsoft 365 E5 Security add-on