MicrosoftDocs
diff --git a/‎defender-endpoint/ios-install.md‎
Lines changed: 4 additions & 7 deletions b/‎defender-endpoint/ios-install.md‎
Lines changed: 4 additions & 7 deletions
diff --git a/‎defender-endpoint/microsoft-defender-endpoint-ios.md‎
Lines changed: 0 additions & 3 deletions b/‎defender-endpoint/microsoft-defender-endpoint-ios.md‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎defender-xdr/TOC.yml‎
Lines changed: 25 additions & 23 deletions b/‎defender-xdr/TOC.yml‎
Lines changed: 25 additions & 23 deletions
diff --git a/‎defender-xdr/microsoft-threat-actor-naming.md‎
Lines changed: 8 additions & 2 deletions b/‎defender-xdr/microsoft-threat-actor-naming.md‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎defender-xdr/security-copilot-m365d-guided-response.md‎
Lines changed: 6 additions & 6 deletions b/‎defender-xdr/security-copilot-m365d-guided-response.md‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎defender-xdr/security-copilot-m365d-incident-summary.md‎
Lines changed: 10 additions & 5 deletions b/‎defender-xdr/security-copilot-m365d-incident-summary.md‎
Lines changed: 10 additions & 5 deletions
@@ -195,9 +195,8 @@ Once the above configuration is done and synced with the device, the following a
 - Web Protection and other features will be activated.
 
 > [!NOTE]
-> For supervised devices, admins can setup Zero touch onboarding with the new [ZeroTouch Control Filter Profile](#device-configuration-profile-control-filter).
-
-Defender for Endpoint VPN Profile will not be installed on the device and Web protection will be provided by the Control Filter Profile.
+> - Zero touch setup can take up to 5 minutes to complete in the background. 
+> - For supervised devices, admins can set up Zero touch onboarding with the [ZeroTouch Control Filter Profile](#device-configuration-profile-control-filter). Defender for Endpoint VPN Profile will not be installed on the device and Web protection will be provided by the Control Filter Profile.
 
 ### Auto-Onboarding of VPN profile (Simplified Onboarding)
 
@@ -230,8 +229,6 @@ Admins can configure auto-setup of VPN profile. This will automatically set up t
 1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**.
 
 ##  **User Enrollment setup** (only for Intune User Enrolled devices)
-> [!IMPORTANT]
-> User Enrollment for Microsoft Defender on iOS is in public preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 Microsoft Defender iOS app can be deployed on the Intune User Enrolled devices using the following steps.
 
@@ -258,9 +255,9 @@ Microsoft Defender iOS app can be deployed on the Intune User Enrolled devices u
 Defender app is installed into the user's device. User signs in and completes the onboarding. Once the device is successfully onboarded, it will be visible in the Defender Security Portal under Device Inventory.
 
 ### Supported features and limitations
-  1. Supported all the current capabilities of MDE iOS like – Web protection, Network Protection, Jailbreak detection, Vulnerabilities in OS and Apps, Alerting in Defender Security Portal and Compliance policies. 
+1. Supports all the current capabilities of Defender for Endpoint iOS like – Web protection, Network Protection, Jailbreak detection, Vulnerabilities in OS and Apps, Alerting in Defender Security Portal and Compliance policies. 
   1. Zero touch (silent) deployment and auto onboarding of VPN is not supported with User Enrollment since admins cannot push a device wide VPN profile with User Enrollment.
-  1. For Vulnerability management of apps, only apps in the work profile will be visible. 
+  1. For vulnerability management of apps, only apps in the work profile will be visible. 
   1. Read more on the [User Enrollment limitations and capabilities](/mem/intune/enrollment/ios-user-enrollment-supported-actions#limitations-and-capabilities-not-supported).
 
 
 
@@ -73,10 +73,7 @@ ms.date: 02/22/2024
 - The device is either enrolled with the [Intune Company Portal app](https://apps.apple.com/us/app/intune-company-portal/id719171358) or is registered with Microsoft Entra ID through [Microsoft Authenticator](https://apps.apple.com/app/microsoft-authenticator/id983156458) with the same account.
 
 > [!NOTE]
->
 > - Microsoft Defender for Endpoint on iOS isn't supported on user-less or shared devices.
-> - Microsoft Defender for Endpoint on iOS isn't supported currently while using iOS User Enrollment.
-
 ## Installation instructions
 
 Deployment of Microsoft Defender for Endpoint on iOS can be done via Microsoft Intune and both supervised and unsupervised devices are supported. End-users can also directly install the app from the [Apple app store](https://aka.ms/mdatpiosappstore).
 
@@ -4,7 +4,7 @@
   items: 
     - name: Overview
       items:
-      - name: What is Microsoft Defender XDR
+      - name: What is Microsoft Defender XDR?
         href: microsoft-365-defender.md
       - name: What's new
         href: whats-new.md
@@ -68,20 +68,36 @@
           href: m365d-enable.md
         - name: 2. Deploy supported services
           href: deploy-supported-services.md
-        - name: Setup guides for Microsoft Defender XDR
-          href: deploy-configure-m365-defender.md  
-        - name: Turning on Microsoft Defender XDR FAQs
-          href: m365d-enable-faq.md              
-        - name: Train your security staff
-          href: microsoft-365-defender-train-security-staff.md              
+        - name: 3. Train your security staff
+          href: microsoft-365-defender-train-security-staff.md
+        - name : Guides and FAQs
+          items:              
+          - name: Setup guides for Microsoft Defender XDR
+            href: deploy-configure-m365-defender.md  
+          - name: Turning on Microsoft Defender XDR FAQs
+            href: m365d-enable-faq.md
+          - name: Guides for your security staff
+            items: 
+            - name: Respond to your first incident
+              href: respond-first-incident-365-defender.md
+            - name: Analyze your first incident
+              href: respond-first-incident-analyze.md
+            - name: Remediate your first incident
+              href: respond-first-incident-remediate.md
+            - name: Additional incident examples
+              items: 
+              - name: Phishing email
+                href: first-incident-path-phishing.md
+              - name: Identity
+                href: first-incident-path-identity.md                          
     - name: Protect against threats
       items: 
       - name: Microsoft Secure Score
         items: 
-          - name: What's new
-            href: microsoft-secure-score-whats-new.md
           - name: Overview
             href: microsoft-secure-score.md
+          - name: What's new
+            href: microsoft-secure-score-whats-new.md
           - name: Assess your security posture
             href: microsoft-secure-score-improvement-actions.md
           - name: Track your score history and meet goals
@@ -124,20 +140,6 @@
                 href: manage-incidents.md
               - name: Export incidents queue to CSV file
                 href: export-incidents-queue.md
-              - name: Respond to your first incident
-                items: 
-                 - name: Overview
-                   href: respond-first-incident-365-defender.md
-                 - name: Analyze your first incident
-                   href: respond-first-incident-analyze.md
-                 - name: Remediate your first incident
-                   href: respond-first-incident-remediate.md
-                 - name: Additional incident examples
-                   items: 
-                    - name: Phishing email
-                      href: first-incident-path-phishing.md
-                    - name: Identity
-                      href: first-incident-path-identity.md
               - name: Investigate incidents
                 items: 
                  - name: Incidents
 
@@ -16,7 +16,7 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 04/29/2024
+ms.date: 06/12/2024
 ---
 
 # How Microsoft names threat actors
@@ -85,12 +85,14 @@ Use the following reference table to understand how our previously publicly disc
 |Lemon Sandstorm|RUBIDIUM|Iran|Fox Kitten, UNC757, PioneerKitten|
 |Leopard Typhoon|LEAD|China|KAOS, Mana, Winnti, Red Diablo|
 |Lilac Typhoon|DEV-0234|China||
+|Luna Tempest|Storm-0744|Financially motivated||
 |Manatee Tempest|DEV-0243|Financially motivated|EvilCorp, UNC2165, Indrik Spider|
 |Mango Sandstorm|MERCURY|Iran|MuddyWater, SeedWorm, Static Kitten, TEMP.Zagros|
 |Marbled Dust|SILICON|Türkiye|Sea Turtle|
 |Marigold Sandstorm|DEV-0500|Iran|Moses Staff|
 |Midnight Blizzard|NOBELIUM|Russia|APT29, Cozy Bear|
 |Mint Sandstorm|PHOSPHORUS|Iran|APT35, Charming Kitten|
+|Moonstone Sleet|Storm-1789|North Korea||
 |Mulberry Typhoon|MANGANESE|China|APT5, Keyhole Panda, TABCTENG|
 |Mustard Tempest|DEV-0206|Financially motivated|Purple Vallhund|
 |Night Tsunami|DEV-0336|Private sector offensive actor|NSO Group|
@@ -106,6 +108,7 @@ Use the following reference table to understand how our previously publicly disc
 |Pistachio Tempest|DEV-0237|Financially motivated|FIN12|
 |Plaid Rain|POLONIUM|Lebanon||
 |Pumpkin Sandstorm|DEV-0146|Iran|ZeroCleare|
+|Purple Typhoon|POTASSIUM|China|APT10, Cloudhopper, MenuPass|
 |Raspberry Typhoon|RADIUM|China|APT30, LotusBlossom|
 |Ruby Sleet|CERIUM|North Korea||
 |Salmon Typhoon|SODIUM|China|APT4, Maverick Panda|
@@ -124,7 +127,7 @@ Use the following reference table to understand how our previously publicly disc
 |Storm-0324||Financially motivated|TA543, Sagrid|
 |Storm-0381||Financially motivated||
 |Storm-0530||North Korea|H0lyGh0st|
-|Storm-0539||Financially motivated||
+|Storm-0539||Financially motivated|Atlas Lion|
 |Storm-0558||China||
 |Storm-0569||Financially motivated||
 |Storm-0587||Russia|SaintBot, Saint Bear, TA471|
@@ -155,6 +158,9 @@ Use the following reference table to understand how our previously publicly disc
 |Storm-1567||Financially motivated|Akira|
 |Storm-1575||Group in development|Dadsec|
 |Storm-1674||Financially motivated||
+|Storm-1679||Russia, Influence operations||
+|Storm-1811||Financially motivated||
+|Storm-1849||China|UAT4356|
 |Strawberry Tempest||Financially motivated|LAPSUS$|
 |Sunglow Blizzard||Russia||
 |Tomato Tempest|SPURR|Financially motivated|Vatet|
 
@@ -54,25 +54,25 @@ Each card contains information about the recommended action, including the entit
 
 The guided response cards can be sorted based on the available status for each card. You can select a specific status when viewing the guided responses by clicking on **Status** and selecting the appropriate status you want to view. All guided response cards regardless of status are shown by default.
 
-:::image type="content" source="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-status-small.png" alt-text="Screenshot highlighting the status of responses in the Copilot pane in the Microsoft Defender incident page." lightbox="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-status.png":::
+:::image type="content" source="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-status-small.png" alt-text="Screenshot that shows the status of responses in the Copilot pane in the Microsoft Defender incident page." lightbox="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-status.png":::
 
 To use guided responses, perform the following steps:
 
 1. Open an incident page. Copilot automatically generates guided responses upon opening an incident page. The Copilot pane appears on the right side of the incident page, showing the guided response cards.
 
-   :::image type="content" source="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-small.png" alt-text="Screenshot highlighting the Copilot pane with the guided responses in the Microsoft Defender incident page." lightbox="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response.png":::
+   :::image type="content" source="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-small.png" alt-text="Screenshot that shows the Copilot pane with the guided responses in the Microsoft Defender incident page." lightbox="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response.png":::
 
 2. Review each card before applying the recommendations. Select the More actions ellipsis (...) on top of a response card to view the options available for each recommendation. Here are some examples.
 
-   ![Screenshot highlighting the options available to users in a guided response card in the Copilot side panel.](/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-more-actions1.png)
+   ![Screenshot that shows the options available to users in a guided response card in the Copilot side panel.](/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-more-actions1.png)
 
-   ![Screenshot highlighting the options available to users in an automation response card in the Copilot pane in Microsoft Defender XDR.](/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-more-actions2.png)
+   ![Screenshot that shows the options available to users in an automation response card in the Copilot pane in Microsoft Defender XDR.](/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-more-actions2.png)
 
 3. To apply an action, select the desired action found on each card. The guided response action on each card is tailored to the type of incident and the specific entity involved.
 
-   :::image type="content" source="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-actions-small.png" alt-text="Screenshot of the guided response cards in the Copilot pane in Microsoft Defender." lightbox="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-actions.png":::
+   :::image type="content" source="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-actions-small.png" alt-text="Screenshot that shows the guided response cards in the Copilot pane in Microsoft Defender." lightbox="/defender/media/copilot-in-defender/guided-response/copilot-defender-guided-response-actions.png":::
 
-4. You can provide feedback to each response card to continuously enhance future responses from Copilot. To provide feedback, select the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png) found on the bottom right of each card.
+4. You can provide feedback to each response card to continuously enhance future responses from Copilot. To provide feedback, select the feedback icon ![Screenshot that shows the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png) found on the bottom right of each card.
 
 > [!NOTE]
 > Grayed out action buttons mean these actions are limited by your permission. [Refer to the unified role-based access (RBAC) permissions](manage-rbac.md) page for more information.
 
@@ -33,7 +33,7 @@ ms.date: 04/01/2024
 - Microsoft Defender XDR
 - Microsoft Defender unified security operations center (SOC) platform
 
-Microsoft Defender XDR applies the capabilities of [Copilot for Security](/security-copilot/microsoft-security-copilot) to summarize incidents, delivering impactful information and insights to simplify investigation tasks. Attack investigation is a crucial step for incident response teams to successfully defend an organization against further damage from a cyber threat. Investigations can oftentimes be time-consuming as it involves numerous steps. Incident response teams need to understand how the attack happened: sort through numerous alerts, identify which assets and entities are involved, and assess the scope and impact of an attack.
+Microsoft Defender XDR applies the capabilities of [Copilot for Security](/security-copilot/microsoft-security-copilot) to summarize incidents, delivering impactful information and insights to simplify investigation tasks. Attack investigation is a crucial step for incident response teams to successfully defend an organization against further damage from a cyber threat. Investigations can often be time-consuming as it involves numerous steps. Incident response teams need to understand how the attack happened: sort through numerous alerts, identify which assets and entities are involved, and assess the scope and impact of an attack.
 
 Incident responders can easily gain the right context to investigate and remediate incidents through Defender XDR's correlation capabilities and Copilot for Security's AI-powered data processing and contextualization. With an incident summary, responders can quickly get important information to help in their investigation.
 
@@ -57,12 +57,17 @@ To summarize an incident, perform the following steps:
 1. Open an incident page. Copilot automatically creates an incident summary upon opening the page. You can stop the summary creation by selecting **Cancel** or restart creation by selecting **Regenerate**.
 
 2. The incident summary card loads on the Copilot pane. Review the generated summary on the card.
-   :::image type="content" source="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-small.png" alt-text="Screenshot of the incident summary card on the Copilot pane as seen in the Microsoft Defender incident page." lightbox="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary.png":::
+ 
+   :::image type="content" source="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-small.png" alt-text="Screenshot that shows the incident summary card on the Copilot pane as seen in the Microsoft Defender incident page." lightbox="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary.png":::
+
    > [!TIP]
    > You can navigate to a file, IP, or URL page from the Copilot results pane by clicking on the evidence in the results.
-3. Select the **More actions** ellipsis (...) at the top of the incident summary card to copy or regenerate the summary, or view the summary in the Copilot for Security portal. Selecting **Open in Copilot for Security** opens a new tab to the Copilot for Security standalone portal where you can input prompts and access other plugins.
-   :::image type="content" source="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-more-actions.png" alt-text="Screenshot highlighting the actions available on the incident summary card." lightbox="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-more-actions.png":::
-4. Review the summary and use the information to guide your investigation and response to the incident. You can provide feedback on the summary by selecting the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png) found on the bottom of the Copilot pane.
+
+1. Select the **More actions** ellipsis (...) at the top of the incident summary card to copy or regenerate the summary, or view the summary in the Copilot for Security portal. Selecting **Open in Copilot for Security** opens a new tab to the Copilot for Security standalone portal where you can input prompts and access other plugins.
+
+   :::image type="content" source="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-more-actions.png" alt-text="Screenshot that shows the actions available on the incident summary card." lightbox="/defender/media/copilot-in-defender/incident-summary/copilot-defender-incident-summary-more-actions.png":::
+
+1. Review the summary and use the information to guide your investigation and response to the incident. You can provide feedback on the summary by selecting the feedback icon ![Screenshot of the feedback icon for Copilot in Defender cards](/defender/media/copilot-in-defender/copilot-defender-feedback.png) found on the bottom of the Copilot pane.
 
 ## See also