MicrosoftDocs
diff --git a/‎defender-endpoint/machines-view-overview.md‎
Lines changed: 31 additions & 20 deletions b/‎defender-endpoint/machines-view-overview.md‎
Lines changed: 31 additions & 20 deletions
diff --git a/‎defender-office-365/submissions-outlook-report-messages.md‎
Lines changed: 2 additions & 2 deletions b/‎defender-office-365/submissions-outlook-report-messages.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎defender-xdr/custom-detection-rules.md‎
Lines changed: 21 additions & 17 deletions b/‎defender-xdr/custom-detection-rules.md‎
Lines changed: 21 additions & 17 deletions
diff --git a/‎unified-secops-platform/TOC.yml‎
Lines changed: 2 additions & 0 deletions b/‎unified-secops-platform/TOC.yml‎
Lines changed: 2 additions & 0 deletions
@@ -13,7 +13,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 10/30/2024
+ms.date: 01/23/2025
 ---
 
 # Device inventory
@@ -58,6 +58,11 @@ The following image depicts the devices list:
 
 You can apply the following filters to limit the list of alerts and get a more focused view.
 
+> [!NOTE]
+> If you're not seeing some devices, try clearing your filters.
+>
+> To clear your filters, navigate to the top-right of the **Devices list** and select the  **Filter** icon. On the flight-out pane, select the **Clear all filters** button.
+
 ### Device name
 
 During the Microsoft Defender for Endpoint onboarding process, devices onboarded to Defender for Endpoint are gradually populated into the device inventory as they begin to report sensor data. The device inventory is also populated by devices that are discovered in your network through the device discovery process. The device inventory has the following tabs:
@@ -129,38 +134,41 @@ The available device properties to use as filters vary based on the device inven
 
 |Property|Tabs|Description|
 |---|---|---|
-|**Cloud platforms**|<ul><li>**All devices**</li><li>**Computers & mobile**</li></ul>|The cloud platform that the device belongs to. The available values are: <ul><li>**Azure**</li><li>**AWS**</li><li>**GCP**</li><li>**Arc**</li><li>**None**</li></ul>|
-|**Criticality level**|<ul><li>**All devices**</li><li>**Computers & mobile**</li></ul>|The assigned criticality level of the device (how critical a device is for your organization). The available values are: <ul><li>**Very high**: The device is considered a business critical asset</li><li>**High**</li><li>**Medium**</li><li>**Low**</li><li>**None**</li></ul> <br/> For more information, see [Overview of critical asset management](/security-exposure-management/critical-asset-management).|
-|**Device category**|**All devices**|The category value assigned to the device. Enter a value or select from the available values: <ul><li>**BMS**</li><li>**Computers and Mobile**</li><li>**IoT**</li><li>**Medical**</li><li>**Network Device**</li><li>**OT**</li><li>**Unknown**</li></ul>|
-|**Device subtype**|<ul><li>**All devices**</li><li>**IoT/OT**</li></ul>|The subtype value assigned to the device. Enter a value or select an available value (for example, **Video conference**).|
-|**Device type**|<ul><li>**All devices**</li><li>**IoT/OT**</li></ul>|The type value assigned to the device. Enter a value or select an available value (for example, **Audio and Video**).|
+|**Cloud platforms**|**All devices**, **Computers & mobile**|The cloud platform that the device belongs to. The available values are: <br/> - **Azure** <br/> - **AWS** <br/> - **GCP** <br/> - **Arc** <br/> - **None**|
+|**Criticality level**|**All devices**, **Computers & mobile**|The available values are: <br/> - **Very high** (The device is considered a business critical asset) <br/> - **High** <br/> - **Medium** <br/> - **Low** <br/> - **None**. For more information, see [Overview of critical asset management](/security-exposure-management/critical-asset-management).|
+|**Device category**|**All devices**|The category value assigned to the device. Enter a value or select from the available values: <br/> - **BMS** <br/> - **Computers and Mobile** <br/> - **IoT** <br/> - **Medical** <br/> - **Network Device** <br/> - **OT** <br/> - **Unknown**|
+|**Device subtype**|**All devices**, **IoT/OT**|The subtype value assigned to the device. Enter a value or select an available value (for example, **Video conference**).|
+|**Device type**|**All devices**, **IoT/OT**|The type value assigned to the device. Enter a value or select an available value (for example, **Audio and Video**).|
 |**Device role**|All|The specific role of the device within the organization. For detailed descriptions of each role, see [Predefined classifications](/security-exposure-management/predefined-classification-rules-and-levels).|
 |**Device value**|All|The assigned value of the device. The available values are **High** and **Low**.|
 |**Discovery sources**|All|The source reporting on the device.|
 |**Exclusion state**|All|The available values are **Not excluded** and **Excluded**. For more information, see [Exclude devices](exclude-devices.md).|
-|**Exposure level**|All|The exposure level of the device based on pending security recommendations. The available values are: <ul><li>**High**</li><li>**Medium**</li><li>**Low**: Devices are less vulnerable to exploitation.</li><li>**No data available**: Possible causes for this value include: <ul><li>The device is inactive (stopped reporting for more than 30 days).</li><li>The OS on the device isn't supported. For more information, see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md).</li><li>The agent software on the device is stale (unlikely).</li></ul></li></ul>|
+|**Exposure level**|All|The exposure level of the device based on pending security recommendations. The available values are: <br/>- **High** <br/> - **Medium** <br/> - **Low**: Devices are less vulnerable to exploitation. <br/>- **No data available**: Possible causes for this value include: <br/> - The device is inactive (stopped reporting for more than 30 days). - The OS on the device isn't supported. For more information, see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md). - The agent software on the device is stale (unlikely).|
 |**First seen**|All tabs except **Network devices**|How long ago the device was first seen on the network or when it was first reported by the Microsoft Defender for Endpoint sensor. The available values are **Last 7 days** or **Over 7 days ago**.|
-|**Group**|<ul><li>**All devices**</li><li>**Computers & mobile**</li><li>**Network devices**</li></ul>|Device groups. Enter a value in the box.|
-|**Internet facing**|<ul><li>**All devices**</li><li>**Computers & mobile**</li></ul>|Whether the device is internet facing. The available values are **Yes** and **No**.|
-|**Managed by**|<ul><li>**All devices**</li><li>**Computers & mobile**</li></ul>|How the device is being managed. The available values are: <ul><li>**Intune**</li><li>**Intune**: Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach.</li><li>**ConfigMgr**: Microsoft Configuration manager.</li><li>**MDE**: Microsoft Defender for Endpoint.</li><li>**Unknown**: This value is caused by one of the following conditions: <ul><li>An outdated version of Windows.</li><li>GPO management.</li><li>Non-Microsoft mobile device management (MDM).</li></ul></li></ul>|
-|**Mitigation status**|<ul><li>**All devices**</li><li>**Computers & mobile**</li></ul>|The available values are **Contained** and **Isolated**.|
+|**Group**|**All devices**, **Computers & mobile**, **Network devices**|Device groups. Enter a value in the box.|
+|**Internet facing**|**Tabs**|**Description**|
+|**All devices**|**Computers & mobile**|Whether the device is internet facing. The available values are **Yes** and **No**.|
+|**Managed by**|**All devices**, **Computers & mobile**|How the device is being managed. The available values are: <br/> - **Intune**: Microsoft Intune, including co-management with Microsoft Configuration Manager via tenant attach <br/> - **ConfigMgr**: Microsoft Configuration manager <br/> - **MDE**: Microsoft Defender for Endpoint <br/> - **Unknown**: This value is caused by one of the following conditions: An outdated version of Windows, GPO management, Non-Microsoft mobile device management (MDM).|
+|**Mitigation status**|**All devices**, **Computers & mobile**|The available values are **Contained** and **Isolated**.|
 |**Model**|**All devices**|The model of the device. Enter a value or select from the available values.|
-|**Onboarding status**|<ul><li>**All devices**</li><li>**Computers & mobile**</li></ul>|Whether the device is currently onboarded in Defender for Endpoint. Device discovery must be enabled for this filter to appear. The available values are: <ul><li>**Onboarded**: The device is onboarded to Defender for Endpoint.</li><li>**Can be onboarded**: The supported device was discovered, but it isn't currently onboarded. We highly recommend onboarding these devices.</li><li>**Unsupported**: The unsupported device was discovered.</li><li>**Insufficient info**: The system couldn't determine the supportability of the device.|
-|**OS Platform**|<ul><li>**All devices**</li><li>**Computers & mobile**</li></ul>|The operating system on the device. The available values are: <ul><li>**Windows 11**</li><li>**Windows 10**</li><li>**Windows 8.1**</li><li>**Windows 8**</li><li>**Windows 7**</li><li>**Windows Server 2022**</li><li>**Windows Server 2019**</li><li>**Windows Server 2016**</li><li>**Windows Server 2012 R2**</li><li>**Windows Server 2008 R2**</li><li>**Linux**</li><li>**macOS**</li><li>**iOS**</li><li>**Android**</li><li>**Windows 10 WVD**</li><li>**Other**</li></ul>|
-|**OS Version**|**All devices**|The version of the operating system, which includes Windows versions. On the **Computers & mobile** tab, the **Windows version** filter is also available.|
-|**Risk level**|All|The overall risk assessment of the device based on a combination of factors, including the type and severity of active alerts on the device. The available values are: <ul><li>**High**</li><li>**Medium**</li><li>**Low**</li><li>**Informational**</li><li>**No known risk**</li></ul> <br/> Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.|
-|**Sensor health state**|<ul><li>**All devices**</li><li>**Computers & mobile**</li></ul>|The available values for onboarded devices are: <ul><li>**Active**: Devices that are actively reporting sensor data to the service.</li><li>**Inactive**: Devices that stopped sending signals for more than seven days.</li><li>**Misconfigured**: Devices with impaired communications or devices that can't send sensor data. For more information on how to address issues on misconfigured devices, see, [Fix unhealthy sensors](fix-unhealthy-sensors.md)</li></ul>.|
-|**Site**|<ul><li>**All devices**</li><li>**IoT/OT**</li></ul>|Used for Defender for IoT [site security](/defender-for-iot/site-security-overview) (requires a Defender for IoT license).|
+|**Onboarding status**|**All devices**, **Computers & mobile**|Whether the device is currently onboarded in Defender for Endpoint. Device discovery must be enabled for this filter to appear. The available values are: <br/> - **Onboarded**: The device is onboarded to Defender for Endpoint. <br/> - **Can be onboarded**: The supported device was discovered, but it isn't currently onboarded. We highly recommend onboarding these devices. <br/> - **Unsupported**: The unsupported device was discovered. <br/> - **Insufficient info**: The system couldn't determine the supportability of the device.|
+|**OS distribution**|**All devices**, **Computers & mobile**|The distribution of the operating system. The available values are: <br/> - **Windows 11** <br/>- **Windows 10** <br/> - **Windows 8.1** <br/> - **Windows 8**<br/> - **Windows 7** <br/> - **Windows Server 2022** <br/> - **Windows Server 2019** <br/> - **Windows Server 2016** <br/> - **Windows Server 2012 R2** <br/> - **Windows Server 2008 R2** <br/> - **Linux** <br/> - **macOS** <br/> - **iOS** <br/> - **Android** <br/> - **Windows 10 WVD** <br/> - **Other**|
+|**OS Platform**|**All devices**, **Computers & mobile**|The operating system on the device. The available
+|**Risk level**|All|The overall risk assessment of the device based on a combination of factors, including the type and severity of active alerts on the device. The available values are: - **High** - **Medium** - **Low** - **Informational** - **No known risk** Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.|
+|**Sensor health state**|**All devices**, **Computers & mobile** |The available values for onboarded devices are: <br/> - **Active**: Devices that are actively reporting sensor data to the service. <br/> - **Inactive**: Devices that stopped sending signals for more than seven days. <br/> - **Misconfigured**: Devices with impaired communications or devices that can't send sensor data. For more information on how to address issues on misconfigured devices, see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).|
+|**Site**|**All devices**, **IoT/OT**|Used for Defender for IoT [site security](/defender-for-iot/site-security-overview) (requires a Defender for IoT license).|
 |**Tags**|All|The grouping and tagging that you added to individual devices. For more information, see [Create and manage device tags](machine-tags.md).|
 |**Transient device**|All|The available values are **No** and **Yes**. By default, transient devices are filtered to reduce inventory noise. For more information, see [Identifying transient devices](transient-device-tagging.md).|
 |**Vendor**|**All devices**|The vendor of the device. Enter a value or select from the available values.|
-|**Windows version**|**Computers & mobile**|The version of Windows. The **OS version** filter is also available. <br/> The value **Future version** for this property is caused by one of the following scenarios: <ul><li>A prerelease build of a future Windows release.</li><li>The build has no version name.</li><li>The build version name isn't yet supported</li></ul> <br/> The full OS version is visible on the device details page.|
+|**Windows version**|**Computers & mobile**|The version of Windows. The **OS version** filter is also available.  <br/><br/>The value **Future version** for this property is caused by one of the following scenarios:<br/>- A prerelease build of a future Windows release.
+- The build has no version name.<br/>- The build version name isn't yet supported<br/><br/>The full OS version is visible on the device details page.|
 
 ## Use columns to customize the device inventory views
 
 You can sort the entries by clicking on an available column header. Select :::image type="icon" source="media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (*):
 
 - **All devices** tab:
+
   - **Name***
   - **IP***
   - **MAC address**
@@ -193,6 +201,7 @@ You can sort the entries by clicking on an available column header. Select :::im
   Firmware information for OT devices is displayed in the **OS version** and **Model** columns.
 
 - **Computers & mobile** tab:
+
   - **Name***
   - **Domain***
   - **Device AAD id***
@@ -218,7 +227,8 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Mitigation status***
   - **Cloud platforms***
 
-- **Network devices** tab
+- **Network devices** tab:
+
   - **IP***
   - **MAC address**
   - **Vendor***
@@ -237,7 +247,8 @@ You can sort the entries by clicking on an available column header. Select :::im
   - **Tags***
   - **Exclusion state**
 
-- **IoT/OT devices** tab
+- **IoT/OT devices** tab:
+
   - **IP***
   - **MAC address***
   - **Name***
 
@@ -14,7 +14,7 @@ ms.collection:
 description: Learn how to report phishing and suspicious emails in supported versions of Outlook using the built-in Report button or the Report Message and Report Phishing add-ins.
 ms.service: defender-office-365
 search.appverid: met150
-ms.date: 01/10/2025
+ms.date: 01/23/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -54,7 +54,7 @@ Admins configure user reported messages to go to a specified reporting mailbox,
 
   If user reporting is turned off and a non-Microsoft add-in button is selected, the **Report** button isn't available in supported versions of Outlook.
 
-- The built-in **Report** button in Outlook on the web and the new Outlook for Windows supports reporting messages from shared mailboxes or other mailboxes by a delegate.
+- The built-in **Report** button in Outlook on the web, Outlook for Android and the new Outlook for Windows supports reporting messages from shared mailboxes or other mailboxes by a delegate.
   - Shared mailboxes require Send As or Send On Behalf permission for the user.
   - Other mailboxes require Send As or Send On Behalf permission _and_ Read and Manage permissions for the delegate.
 
 
@@ -71,24 +71,28 @@ In the Microsoft Defender portal, go to **Advanced hunting** and select an exist
 
 #### Required columns in the query results
 
-To create a custom detection rule, the query must return the following columns:
 
-- `Timestamp`- Used to set the timestamp for generated alerts
-- `ReportId`- Enables lookups for the original records
-- One of the following columns that identify specific devices, users, or mailboxes:
-  - `DeviceId`
-  - `DeviceName`
-  - `RemoteDeviceName`
-  - `RecipientEmailAddress`
-  - `SenderFromAddress` (envelope sender or Return-Path address)
-  - `SenderMailFromAddress` (sender address displayed by email client)
-  - `RecipientObjectId`
-  - `AccountObjectId`
-  - `AccountSid`
-  - `AccountUpn`
-  - `InitiatingProcessAccountSid`
-  - `InitiatingProcessAccountUpn`
-  - `InitiatingProcessAccountObjectId`
+To create a custom detection rule, the query must return the following columns:
+1. `Timestamp` - Used to set the timestamp for generated alerts
+2. A column or combination of columns that uniquely identify the event in Defender XDR tables:
+      - For Microsoft Defender for Endpoint tables, the `Timestamp`, `DeviceId`, and `ReportId` columns must appear in the same event
+      - For Alert* tables, `Timestamp` must appear in the event
+      - For Observation* tables, `Timestamp`and `ObservationId` must appear in the same event
+      - For all others, `Timestamp` and `ReportId` must appear in the same event
+3. One of the following columns that contain a strong identifier for an impacted asset:
+      - `DeviceId`
+      - `DeviceName`
+      - `RemoteDeviceName`
+      - `RecipientEmailAddress`
+      - `SenderFromAddress` (envelope sender or Return-Path address)
+      - `SenderMailFromAddress` (sender address displayed by email client)
+      - `RecipientObjectId`
+      - `AccountObjectId`
+      - `AccountSid`
+      - `AccountUpn`
+      - `InitiatingProcessAccountSid`
+      - `InitiatingProcessAccountUpn`
+      - `InitiatingProcessAccountObjectId`
 
 > [!NOTE]
 > Support for additional entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).
 
@@ -73,6 +73,8 @@
       href: /azure/sentinel/soc-optimization/soc-optimization-access?toc=/unified-secops-platform/toc.json&bc=/unified-secops-platform/breadcrumb/toc.json&tabs=defender-portal
     - name: Manage your unified SOC
       items:
+        - name: Manage cases
+          href: cases-overview.md
         - name: Manage multiple tenants
           items: 
             - name: Overview