MicrosoftDocs
diff --git a/‎ATPDocs/deploy/remote-calls-sam.md‎
Lines changed: 15 additions & 8 deletions b/‎ATPDocs/deploy/remote-calls-sam.md‎
Lines changed: 15 additions & 8 deletions
diff --git a/‎CloudAppSecurityDocs/api-alerts.md‎
Lines changed: 0 additions & 1 deletion b/‎CloudAppSecurityDocs/api-alerts.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎CloudAppSecurityDocs/api-entities.md‎
Lines changed: 0 additions & 1 deletion b/‎CloudAppSecurityDocs/api-entities.md‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎defender-endpoint/TOC.yml‎
Lines changed: 2 additions & 0 deletions b/‎defender-endpoint/TOC.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎defender-endpoint/comprehensive-guidance-on-linux-deployment.md‎
Lines changed: 22 additions & 22 deletions b/‎defender-endpoint/comprehensive-guidance-on-linux-deployment.md‎
Lines changed: 22 additions & 22 deletions
@@ -9,6 +9,13 @@ ms.topic: how-to
 
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
+> [!NOTE]
+> This feature can potentially be exploited by an adversary to obtain the Net-NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
+> The new Defender for Identity sensor is not affected by this issue as it uses different detection methods.
+> 
+> It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.
+> Please note that this will result in reduced data available for the [attack path feature in Exposure Management](/security-exposure-management/review-attack-paths).
+
 This article describes the configuration changes required to allow the Defender for Identity Directory Services Account (DSA) to perform the SAM-R queries.
 
 > [!TIP]
@@ -20,7 +27,7 @@ This article describes the configuration changes required to allow the Defender
 To ensure that Windows clients and servers allow your Defender for Identity Directory Services Account (DSA) to perform SAM-R queries, you must modify the **Group Policy** and add the DSA, in **addition to the configured accounts** listed in the **Network access** policy. Make sure to apply group policies to all computers **except domain controllers**.
 
 > [!IMPORTANT]
-> Perform this procedure in [*audit mode*](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#audit-only-mode) first, verifying the compatibility of the proposed configuration before making the changes to your production environment.
+> Perform this procedure in the [*audit mode*](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#audit-only-mode) first, by verifying the compatibility of the proposed configuration before making the changes to your production environment.
 >
 > Testing in audit mode is critical in ensuring that your environment remains secure, and any changes will not impact your application compatibility. You may observe increased SAM-R traffic, generated by the Defender for Identity sensors.
 >
@@ -31,9 +38,9 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire
 
     :::image type="content" source="../media/samr-policy-location.png" alt-text="Screenshot of the Network access policy selected." lightbox="../media/samr-policy-location.png":::
 
-1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode
+1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode.
 
-For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls).
+   For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls).
 
 ## Make sure the DSA is allowed to access computers from the network (optional)
 
@@ -48,10 +55,10 @@ For more information, see [Network access: Restrict clients allowed to make remo
 
 1. Add the Defender for Identity Directory Service account to the list of approved accounts.
 
-> [!IMPORTANT]
-> When configuring user rights assignments in group policies, it's important to note that the setting *replaces* the previous one rather than adding to it. Therefore, make sure to include *all* the desired accounts in the effective group policy. By default, workstations and servers include the following accounts: Administrators, Backup Operators, Users, and Everyone
->
-> The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed.
+    > [!IMPORTANT]
+    > When configuring user rights assignments in group policies, it's important to note that the setting *replaces* the previous one rather than adding to it. Therefore, make sure to include *all* the desired accounts in the effective group policy. By default, workstations and servers include the following accounts: Administrators, Backup Operators, Users, and Everyone.
+    >
+    > The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed.
 
 ## Configure a Device profile for Microsoft Entra hybrid joined devices only
 
@@ -86,7 +93,7 @@ This procedure describes how to use the [Microsoft Intune admin center](https://
 
 1. Continue the wizard to select the **scope tags** and **assignments**, and select **Create** to create your profile.
 
-For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
+   For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
 
 ## Next step
 
 
@@ -53,7 +53,6 @@ The response object defines the following properties.
 | intent               | list   | A field that specifies the kill chain related intent behind the alert. Multiple values can be reported in this field. The **intent** enumeration values follow the [MITRE att@ck enterprise matrix model](https://attack.mitre.org/matrices/enterprise/). Further guidance on the different techniques that make up each intent can be found in MITRE's documentation.<br>  Possible values include:<br/><br>**0**: UNKNOWN<br />**1**: PREATTACK<br />**2**: INITIAL_ACCESS<br />**3**: PERSISTENCE<br />**4**: PRIVILEGE_ESCALATION<br />**5**: DEFENSE_EVASION<br />**6**: CREDENTIAL_ACCESS<br />**7**: DISCOVERY<br />**8**: LATERAL_MOVEMENT<br />**9**: EXECUTION<br />**10**: COLLECTION<br />**11**: EXFILTRATION<br />**12**: COMMAND_AND_CONTROL<br />**13**: IMPACT |
 | isPreview            | bool   | Alerts that have been recently released as GA                |
 | audits *(optional)*  | list   | List of event IDs that are related to the alert              |
-| threatScore          | int    | User investigation priority                                  |
 
 ## Filters
 
 
@@ -37,6 +37,5 @@ The following table describes the supported filters:
 | domain | string | eq, neq, isset, isnotset | The entity's related domain |
 | organization | string | eq, neq, isset, isnotset | Filter entities with the specified organization unit |
 | status | string | eq, neq | Filter entities by status. Possible values include:<br /><br />**0**: N/A<br />**1**: Staged<br />**2**: Active<br />**3**: Suspended<br />**4**: Deleted |
-| score | integer | lt, gt, isset, isnotset | Filter entities by their Investigation Priority Score |
 
 [!INCLUDE [Open support ticket](includes/support.md)]
@@ -255,6 +255,8 @@
           items:
           - name: Deploy Defender for Endpoint on Linux
             items:
+            - name: Defender for Endpoint on Linux for ARM64-based devices (preview)
+              href: mde-linux-arm.md
             - name: Puppet based deployment
               href: linux-install-with-puppet.md
             - name: Ansible based deployment
 
@@ -14,11 +14,14 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/28/2024
+ms.date: 12/10/2024
 ---
 
 # Advanced deployment guidance for Microsoft Defender for Endpoint on Linux
 
+> [!TIP]
+> We are excited to share that Microsoft Defender for Endpoint on Linux now extends support for ARM64-based Linux servers in preview! For more information, see [Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md).
+
 This article provides advanced deployment guidance for Microsoft Defender for Endpoint on Linux. You get a brief summary of the deployment steps, learn about the system requirements, then be guided through the actual deployment steps. You'll also learn how to verify that the device has been correctly onboarded.
 
 For information about Microsoft Defender for Endpoint capabilities, see [Advanced Microsoft Defender for Endpoint capabilities](#advanced-microsoft-defender-for-endpoint-capabilities).
@@ -29,23 +32,21 @@ To learn about other ways to deploy Microsoft Defender for Endpoint on Linux, se
 - [Puppet based deployment](linux-install-with-puppet.md)
 - [Ansible based deployment](linux-install-with-ansible.md)
 - [Deploy Defender for Endpoint on Linux with Chef](linux-deploy-defender-for-endpoint-with-chef.md)
+- [Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview)](mde-linux-arm.md)
 
 ## Deployment summary
 
-Learn about the general guidance on a typical Microsoft Defender for Endpoint on Linux deployment. The applicability of some steps is determined by the requirements of your Linux environment.
+Learn about the general guidance on a typical Microsoft Defender for Endpoint on Linux deployment. The applicability of some steps is determined by the requirements of your Linux environment. Some of the steps are optional and aren't specific to Defender for Endpoint; however, consider doing all the steps for best results.
 
 1. [Prepare your network environment](#1-prepare-your-network-environment).
 
 2. [Capture performance data from the endpoint](#2-capture-performance-data-from-the-endpoint).
 
-   > [!NOTE]
-   > Consider doing the following optional items, even though they are not Microsoft Defender for Endpoint specific, they tend to improve performance in Linux systems.
-
-3. [(Optional) Check for filesystem errors 'fsck' (akin to chkdsk)](#3-optional-check-for-filesystem-errors-fsck-akin-to-chkdsk).
+3. (Optional) [Check for filesystem errors 'fsck' (akin to chkdsk)](#3-optional-check-for-filesystem-errors-fsck-akin-to-chkdsk).
 
-4. [(Optional) Update storage subsystem drivers](#4-optional-update-storage-subsystem-drivers).
+4. (Optional) [Update storage subsystem drivers](#4-optional-update-storage-subsystem-drivers).
 
-5. [(Optional) Update nic drivers](#5-optional-update-nic-drivers).
+5. (Optional) [Update nic drivers](#5-optional-update-nic-drivers).
 
 6. [Confirm system requirements and resource recommendations are met](#6-confirm-system-requirements-and-resource-recommendations-are-met).
 
@@ -85,27 +86,27 @@ Learn about the general guidance on a typical Microsoft Defender for Endpoint on
 
 Add the Microsoft Defender for Endpoint URLs and/or IP addresses to the allowed list, and prevent traffic from being SSL inspected.
 
-
 ### Network connectivity of Microsoft Defender for Endpoint
 
 Use the following steps to check the network connectivity of Microsoft Defender for Endpoint:
 
-1. See [Step 1: Allow destinations for the Microsoft Defender for Endpoint traffic](#step-1-allow-destinations-for-the-microsoft-defender-for-endpoint-traffic) that are allowed for the Microsoft Defender for Endpoint traffic.
+1. See [Allow destinations for the Microsoft Defender for Endpoint traffic](#step-1-allow-destinations-for-the-microsoft-defender-for-endpoint-traffic).
 
-2. If the Linux servers are behind a proxy, then set the proxy settings. For more information, see [Set up proxy settings](#step-2-set-up-proxy-settings).
+2. If the Linux servers are behind a proxy, set proxy settings. For more information, see [Set up proxy settings](#step-2-set-up-proxy-settings).
 
 3. Verify that the traffic isn't being inspected by SSL inspection (TLS inspection). This is the most common network related issue when setting up Microsoft Defender Endpoint, see [Verify SSL inspection isn't being performed on the network traffic](#step-3-verify-ssl-inspection-isnt-being-performed-on-the-network-traffic).
 
 > [!NOTE]
-> - Traffic for Defender for Endpoint should NOT be inspected by SSL inspection (TLS inspection). This applies to all supported operating systems (Windows, Linux, and MacOS).
+> - Traffic for Defender for Endpoint should NOT be inspected by SSL inspection (TLS inspection). This applies to all supported operating systems (Windows, Linux, and Mac).
 > - To allow connectivity to the consolidated set of URLs or IP addresses, ensure your devices are running the latest component versions. See [Onboarding devices using streamlined connectivity for Microsoft Defender for Endpoint](configure-device-connectivity.md) for more information.
 
-For more information see [Troubleshoot cloud connectivity issues](#troubleshoot-cloud-connectivity-issues).
+For more information, see [Troubleshoot cloud connectivity issues](#troubleshoot-cloud-connectivity-issues).
 
 #### Step 1: Allow destinations for the Microsoft Defender for Endpoint traffic
 
-1. Go to [STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md) to find the relevant destinations that need to be accessible to devices inside your network environment
-2. Configure your Firewall/Proxy/Network to allow the relevant URLs and/or IP addresses
+1. See [Configure your network environment to ensure connectivity with Defender for Endpoint service](configure-environment.md) to find the relevant destinations that need to be accessible to devices inside your network environment
+
+2. Configure your Firewall/Proxy/Network to allow the relevant URLs and/or IP addresses.
 
 #### Step 2: Set up proxy settings
 
@@ -125,15 +126,15 @@ The following table lists the supported proxy settings:
 
 #### Step 3: Verify SSL inspection isn't being performed on the network traffic
 
-To prevent man-in-the-middle attacks, all Microsoft Azure hosted traffic uses certificate pinning. As a result, SSL inspections by major firewall systems aren't allowed. You must bypass SSL inspection for Microsoft Defender for Endpoint URLs. For additional information about the certificate pinning process, see [enterprise-certificate-pinning](/windows/security/identity-protection/enterprise-certificate-pinning).
+To prevent man-in-the-middle attacks, all Microsoft Azure hosted traffic uses certificate pinning. As a result, SSL inspections by major firewall systems aren't allowed. You must bypass SSL inspection for Microsoft Defender for Endpoint URLs. For more information about the certificate pinning process, see [enterprise-certificate-pinning](/windows/security/identity-protection/enterprise-certificate-pinning).
 
 ##### Troubleshoot cloud connectivity issues
 
 For more information, see [Troubleshooting cloud connectivity issues for Microsoft Defender for Endpoint on Linux](linux-support-connectivity.md).
 
 ## 2. Capture performance data from the endpoint
 
-Capture performance data from the endpoints that have Defender for Endpoint installed. This includes disk space availability on all mounted partitions, memory usage, process list, and CPU usage (aggregate across all cores).
+Capture performance data from the endpoints that have Defender for Endpoint installed. This data includes disk space availability on all mounted partitions, memory usage, process list, and CPU usage (aggregate across all cores).
 
 ## 3. (Optional) Check for filesystem errors 'fsck' (akin to chkdsk)
 
@@ -157,21 +158,21 @@ For a detailed list of supported Linux distros, see [System requirements](micros
 |---|---|
 |Disk space |Minimum: 2 GB <br> NOTE: More disk space might be needed if cloud diagnostics are enabled for crash collections. |
 |RAM |1 GB<br> 4 GB is preferred|
-|CPU |If the Linux system is running only one vcpu, we recommend it be increased to two vcpu's<br> 4 cores are preferred |
+|CPU |If the Linux system is running only one vcpu, we recommend it be increased to two vcpu's<br> Four cores are preferred |
 
 |OS version|Kernel filter driver|Comments|
 |---|---|---|
-|RHEL 7.x, RHEL 8.x, and RHEL 9.x |No kernel filter driver, the fanotify kernel option must be enabled|akin to Filter Manager (fltmgr, accessible via `fltmc.exe`) in Windows|
+|RHEL 7.x, RHEL 8.x, and RHEL 9.x |No kernel filter driver, the `fanotify` kernel option must be enabled|akin to Filter Manager (fltmgr, accessible via `fltmc.exe`) in Windows|
 ## 7. Add your existing solution to the exclusion list for Microsoft Defender Antivirus
 
 This step of the setup process involves adding Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using. You can choose from several methods to add your exclusions to Microsoft Defender Antivirus.
 
 > [!TIP]
 > To get help configuring exclusions, refer to your solution provider's documentation.
 
-- Your ability to run Microsoft Defender for Endpoint on Linux alongside a non-Microsoft antimalware product depends on the implementation details of that product. If the other antimalware product uses fanotify, it has to be uninstalled to eliminate performance and stability side effects resulting from running two conflicting agents.
+- Your ability to run Microsoft Defender for Endpoint on Linux alongside a non-Microsoft antimalware product depends on the implementation details of that product. If the other antimalware product uses `fanotify`, it has to be uninstalled to eliminate performance and stability side effects resulting from running two conflicting agents.
 
-- To check if there's a non-Microsoft antimalware that is running FANotify, you can run `mdatp health`, then check the result:
+- To check if there's a non-Microsoft antimalware that is running `fanotify`, you can run `mdatp health`, then check the results:
 
   :::image type="content" source="media/mdatp-health-result.png" alt-text="Image of mdatp health result":::
 
@@ -199,7 +200,6 @@ This step of the setup process involves adding Defender for Endpoint to the excl
 When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions.
 
 > [!NOTE]
->
 > - Antivirus exclusions apply to the antivirus engine.
 > - Indicators allow/block apply to the antivirus engine.