Merge branch 'main' into APUpdate

Author: DebLanger

.openpublishing.redirection.defender.json

@@ -111,19 +111,24 @@
       "redirect_document_id": true
     },
     {
-      "source_path": "defender-xdr/pilot-deploy-defender-endpoint.md",
-      "redirect_url": "/defender-endpoint/pilot-deploy-defender-endpoint",
-      "redirect_document_id": false
+      "source_path": "defender-endpoint/techniques-device-timeline.md",
+      "redirect_url": "/defender-endpoint/device-timeline-event-flag#techniques-in-the-device-timeline",
+      "redirect_document_id": true
     },
     {
-      "source_path": "defender-xdr/pilot-deploy-defender-office-365.md",
-      "redirect_url": "/defender-office-365/pilot-deploy-defender-office-365",
+      "source_path": "defender-endpoint/linux-support-rhel.md",
+      "redirect_url": "/defender-endpoint/comprehensive-guidance-on-linux-deployment",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "defender-office-365/pilot-deploy-defender-office-365.md",
+      "redirect_url": "/defender-xdr/pilot-deploy-defender-office-365",
       "redirect_document_id": false
     },
     {
-      "source_path": "defender-endpoint/techniques-device-timeline.md",
-      "redirect_url": "/defender-endpoint/device-timeline-event-flag#techniques-in-the-device-timeline",
-      "redirect_document_id": true
-    }            
+      "source_path": "defender-endpoint/pilot-deploy-defender-endpoint.md",
+      "redirect_url": "/defender-xdr/pilot-deploy-defender-endpoint",
+      "redirect_document_id": false
+    }           
   ]
 }

CloudAppSecurityDocs/release-notes.md

@@ -20,6 +20,30 @@ For more information on what's new with other Microsoft Defender security produc
 For news about earlier releases, see [Archive of past updates for Microsoft Defender for Cloud Apps](release-note-archive.md).
 
 
+## October 2024
+
+### New anomaly data in advanced hunting CloudAppEvents table
+
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal, can now utilize the new *LastSeenForUser* and *UncommonForUser* columns for queries and detections rules.  
+The new columns are designed to assist you to better __identify uncommon activities__ that may appear suspicious, and allow you to create more accurate custom detections, as well as investigate any suspicious activities that arise.
+
+For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
+
+### New Conditional Access app control / inline data in advanced hunting CloudAppEvents table
+
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *AuditSource* and *SessionData* columns for queries and detection rules.   
+Using this data allows for queries that consider specific audit sources, including access and session control, and queries by specific inline sessions.
+
+For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
+
+### New data in advanced hunting CloudAppEvents table - OAuthAppId
+
+Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new _OAuthAppId_ column for queries and detection rules.
+
+Using _OAuthAppId_ allows the queries that consider specific OAuth applications, making queries and detection rules more accurate.
+
+For more information, see [Advanced Hunting "CloudAppEvents" Data schema](/microsoft-365/security/defender/advanced-hunting-cloudappevents-table).
+
 ## September 2024
 
 ### Enforce Edge in-browser when accessing business apps
@@ -28,7 +52,7 @@ Administrators who understand the power of Edge in-browser protection, can now r
 A primary reason is security, since the barrier to circumventing session controls using Edge is much higher than with reverse proxy technology.
 
 For more information see: 
-[Enforce Edge in-browser protection when accessing business apps](https://learn.microsoft.com/defender-cloud-apps/in-browser-protection#enforce-edge-in-browser-when-accessing-business-apps)
+[Enforce Edge in-browser protection when accessing business apps](/defender-cloud-apps/in-browser-protection)
 
 ### Connect Mural to Defender for Cloud Apps (Preview)
 
@@ -146,7 +170,7 @@ Microsoft Defender for Cloud Apps log collector now supports [Azure Kubernetes S
 
 For more information, see [Configure automatic log upload using Docker on Azure Kubernetes Service (AKS)](discovery-kubernetes.md).
 
-### New Conditional Access app control / inline data for the advanced hunting CloudAppEvents table
+### New Conditional Access app control / inline data for the advanced hunting CloudAppEvents table (Preview)
 
 Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *AuditSource* and *SessionData* columns for queries and detection rules. Using this data allows for queries that consider specific audit sources, including access and session control, and queries by specific inline sessions.
 
@@ -224,7 +248,7 @@ Automatic log collection is supported using a Docker container on multiple opera
 
 For more information, see [Configure automatic log upload using Podman](discovery-linux-podman.md).
 
-### New anomaly data for the advanced hunting CloudAppEvents table
+### New anomaly data for the advanced hunting CloudAppEvents table (Preview)
 
 Defender for Cloud Apps users who use advanced hunting in the Microsoft Defender portal can now use the new *LastSeenForUser* and *UncommonForUser* columns for queries and detections rules. Using this data helps to rule out false positives and find anomalies.
 

defender-endpoint/TOC.yml

@@ -10,8 +10,6 @@
       href: zero-trust-with-microsoft-defender-endpoint.md
     - name: Trial user guide - Microsoft Defender for Endpoint
       href: defender-endpoint-trial-user-guide.md
-    - name: Pilot and deploy Microsoft Defender for Endpoint
-      href: pilot-deploy-defender-endpoint.md
     - name: Minimum requirements
       href: minimum-requirements.md
     - name: Supported Microsoft Defender for Endpoint capabilities by platform
@@ -459,8 +457,6 @@
             href: health-status.md
           - name: Troubleshoot cloud connectivity issues
             href: linux-support-connectivity.md
-          - name: Troubleshoot RHEL 6 installation issues
-            href: linux-support-rhel.md
           - name: Troubleshoot performance issues
             href: linux-support-perf.md
           - name: Troubleshoot missing events issues
@@ -1563,4 +1559,4 @@
     - name: Defender for Business
       href: /defender-business
     - name: Defender Vulnerability Management
-      href: /defender-vulnerability-management
+      href: /defender-vulnerability-management

defender-endpoint/comprehensive-guidance-on-linux-deployment.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 09/10/2024
+ms.date: 10/28/2024
 ---
 
 # Advanced deployment guidance for Microsoft Defender for Endpoint on Linux
@@ -167,8 +167,6 @@ For a detailed list of supported Linux distros, see [System requirements](micros
 |OS version|Kernel filter driver|Comments|
 |---|---|---|
 |RHEL 7.x, RHEL 8.x, and RHEL 9.x |No kernel filter driver, the fanotify kernel option must be enabled|akin to Filter Manager (fltmgr, accessible via `fltmc.exe`) in Windows|
-|RHEL 6.x|TALPA kernel driver|
-
 ## 7. Add your existing solution to the exclusion list for Microsoft Defender Antivirus
 
 This step of the setup process involves adding Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using. You can choose from several methods to add your exclusions to Microsoft Defender Antivirus.

defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation.md

@@ -14,7 +14,7 @@ ms.collection:
 - demo
 ms.topic: article
 ms.subservice: asr
-ms.date: 01/15/2024
+ms.date: 10/28/2024
 ---
 
 # URL reputation demonstrations
@@ -71,7 +71,7 @@ Blocked from downloading because of its URL reputation
 
 - [Download blocked due to URL reputation](https://demo.smartscreen.msft.net/download/malwaredemo/freevideo.exe)
 
-  Launching this link should render a message similar to the Malware page message.
+  Launching this link should render a warning that the download was blocked as being unsafe by Microsoft Edge.
 
 ### Exploit page
 

defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md

@@ -2,7 +2,7 @@
 title: Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment
 description: Get an overview of how to configure Microsoft Defender Antivirus in a remote desktop or non-persistent virtual desktop environment.
 ms.localizationpriority: medium
-ms.date: 09/27/2024
+ms.date: 10/28/2024
 ms.topic: conceptual
 author: denisebmsft
 ms.author: deniseb
@@ -31,8 +31,7 @@ search.appverid: met150
 
 - Windows
 
-> [!TIP]
-> This article is designed for customers who are using Microsoft Defender Antivirus capabilities only. If you have Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus alongside additional device protection capabilities), skip this article and proceed to [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](configure-endpoints-vdi.md).
+This article is designed for customers who are using Microsoft Defender Antivirus capabilities only. If you have Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus alongside other device protection capabilities), also go through [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](configure-endpoints-vdi.md).
 
 You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. Following the guidance in this article, you can configure updates to download directly to your RDS or VDI environments when a user signs in.
 
@@ -43,7 +42,7 @@ This guide describes how to configure Microsoft Defender Antivirus on your VMs f
 - [Use quick scans](#use-quick-scans)
 - [Prevent notifications](#prevent-notifications)
 - [Disable scans from occurring after every update](#disable-scans-after-an-update)
-- [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
+- [Scan out-of-date machines or machines that were offline for a while](#scan-vms-that-have-been-offline)
 - [Apply exclusions](#exclusions)
 
 > [!IMPORTANT]
@@ -67,7 +66,7 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen
 
 5. Enter `\\<Windows File Server shared location\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
 
-6. Select **OK**, and then deploy the GPO to the VMs you want to test.
+6. Select **OK**, and then deploy the Group Policy Object to the VMs you want to test.
 
 ### PowerShell
 
@@ -96,10 +95,9 @@ Start-Process -FilePath $vdmpackage -WorkingDirectory $vdmpath -ArgumentList "/x
 
 You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs receive the new update. We suggest starting with once a day, but you should experiment with increasing or decreasing the frequency to understand the impact.
 
-Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn't advisable because it will increase the network overhead on your management machine for no benefit.
+Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn't advisable because it increases the network overhead on your management machine for no benefit.
 
-You can also set up your single server or machine to fetch the updates on behalf of the VMs at an interval and place them in the file share for consumption.
-This configuration is possible when the devices have the share and read access (NTFS permissions) to the share so they can grab the updates. To set up this configuration, follow these steps:
+You can also set up your single server or machine to fetch the updates on behalf of the VMs at an interval and place them in the file share for consumption. This configuration is possible when the devices have share and read access (NTFS permissions) to the share so they can grab the updates. To set up this configuration, follow these steps:
 
 1. Create an SMB/CIFS file share.
 
@@ -122,7 +120,7 @@ This configuration is possible when the devices have the share and read access (
 
 ### Set a scheduled task to run the PowerShell script
 
-1. On the management machine, open the Start menu and type `Task Scheduler`. From the results, Task Scheduler and then select **Create task...** on the side panel.
+1. On the management machine, open the Start menu and type `Task Scheduler`. From the results, select Task Scheduler and then select **Create task...** in the side panel.
 
 2. Specify the name as `Security intelligence unpacker`. 
 
@@ -151,7 +149,7 @@ If you would prefer to do everything manually, here's what to do to replicate th
    Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`
 
    > [!NOTE]
-   > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
+   > We set the script so that the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
 
 3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions)  into the GUID folder. The file should be named `mpam-fe.exe`.
 
@@ -164,7 +162,7 @@ If you would prefer to do everything manually, here's what to do to replicate th
 
 Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md).
 
-The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a four-hour window from the time set for the scheduled scan.
+The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization causes Microsoft Defender Antivirus to start a scan on each machine within a four-hour window from the time set for the scheduled scan.
 
 See [Schedule scans](schedule-antivirus-scans.md) for other configuration options available for scheduled scans.
 
@@ -194,14 +192,14 @@ Sometimes, Microsoft Defender Antivirus notifications are sent to or persist acr
 
 4. Deploy your Group Policy object as you usually do.
 
-Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up when scans are done or remediation actions are taken. However, your security operations team will see the results of a scan if an attack is detected and stopped. Alerts, such as an initial access alert, are generated and will appear in the [Microsoft Defender portal](https://security.microsoft.com).
+Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up when scans are done or remediation actions are taken. However, your security operations team sees the results of a scan if an attack is detected and stopped. Alerts, such as an initial access alert, are generated, and appear in the [Microsoft Defender portal](https://security.microsoft.com).
 
 ## Disable scans after an update
 
-Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
+Disabling a scan after an update prevents a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
 
 > [!IMPORTANT]
-> Running scans after an update will help ensure your VMs are protected with the latest security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
+> Running scans after an update helps ensure your VMs are protected with the latest security intelligence updates. Disabling this option reduces the protection level of your VMs and should only be used when first creating or deploying the base image.
 
 1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.
 
@@ -239,7 +237,7 @@ For more information, see [Start the scheduled scan only when computer is on but
 
 5. Deploy your Group Policy Object as you usually do.
 
-This policy forces a scan if the VM has missed two or more consecutive scheduled scans.
+This policy forces a scan if the VM missed two or more consecutive scheduled scans.
 
 ## Enable headless UI mode