Merge branch 'main' into permli

Author: tarTech23

defender-endpoint/edr-detection.md

@@ -15,7 +15,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: edr
 search.appverid: met150
-ms.date: 08/01/2024
+ms.date: 08/06/2024
 ---
 
 # EDR detection test for verifying device's onboarding and reporting services
@@ -33,7 +33,7 @@ ms.date: 08/01/2024
 - macOS
 - Microsoft Defender for Endpoint
 - Microsoft Defender for Endpoint on Linux
-- Microsoft Defender for Endpoint on macOS
+<!---- Microsoft Defender for Endpoint on macOS--->
 
 Endpoint detection and response for Endpoint provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
 
@@ -43,14 +43,13 @@ Run an EDR detection test to verify that the device is properly onboarded and re
 
 1. Open a Command Prompt window
 
-2. At the prompt, copy and run the command below. The Command Prompt window will close automatically.
+2. At the prompt, copy and run the following command. The Command Prompt window closes automatically.
 
+   ```powershell
+   powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
+   ```
 
-```powershell
-powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
-```
-
-3. If successful, the detection test will be marked as completed and a new alert will appear in few minutes.
+3. If successful, the detection test is marked as completed and a new alert appears within a few minutes.
 
 ### Linux
 
@@ -64,7 +63,7 @@ curl -o ~/Downloads/MDE Linux DIY.zip https://aka.ms/MDE-Linux-EDR-DIY
 1. Extract the zip 
 
 ```bash
-unzip ~/Downloads/MDE Linux DIY.zip
+unzip ~/Downloads/MDE-Linux-EDR-DIY.zip
 ```
 
 1. And run the following command: 
@@ -77,6 +76,7 @@ After a few minutes, a detection should be raised in Microsoft Defender XDR.
 
 3. Look at the alert details, machine timeline, and perform your typical investigation steps.
 
+<!---
 ### macOS
 
 1. In your browser, Microsoft Edge for Mac or Safari, download *MDATP MacOS DIY.zip* from [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy) and extract.
@@ -129,12 +129,16 @@ After a few minutes, a detection should be raised in Microsoft Defender XDR.
 
     Look at the alert details and the device timeline, and perform the regular investigation steps.
 
- Next steps that you can consider performing are to add AV exclusions as needed for application compatibility or performance:
+--->
+
+## Next steps
+
+If you're experiencing issues with application compatibility or performance, you might consider adding exclusions. See the following articles for more information:
 
 - [Configure and validate exclusions for Microsoft Defender for Endpoint on macOS](mac-exclusions.md)
 - [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
 - [Manage suppression rules](manage-suppression-rules.md)
 - [Create indicators of compromise (IoC)](manage-indicators.md)
 - [Create and manage custom detections rules](/defender-xdr/custom-detection-rules)
 
-Read through [Microsoft Defender for Endpoint Security Operations Guide](mde-sec-ops-guide.md).
+Also, see the [Microsoft Defender for Endpoint Security Operations Guide](mde-sec-ops-guide.md).

defender-endpoint/microsoft-defender-endpoint-mac.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 05/08/2024
+ms.date: 08/06/2024
 ---
 
 # Microsoft Defender for Endpoint on Mac
@@ -70,14 +70,17 @@ There are several methods and deployment tools that you can use to install and c
 ### System requirements
 
 The three most recent major releases of macOS are supported.
+
 - 14 (Sonoma), 13 (Ventura), 12 (Monterey)
+
   > [!IMPORTANT]
   > On macOS 11 (Big Sur) and above, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [New configuration profiles for macOS Big Sur and newer versions of macOS](mac-sysext-policies.md).
 
-- Supported processors: x64 and ARM64.
+- Supported processors: x64 and ARM64
+
 - Disk space: 1GB
 
-Beta versions of macOS aren't supported.
+- Beta versions of macOS aren't supported.
 
 After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
 
@@ -119,6 +122,8 @@ If a proxy or firewall is blocking anonymous traffic, make sure that anonymous t
 >
 > SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
 
+#### Test network connectivity
+
 To test that a connection isn't blocked, open <https://x.cp.wd.microsoft.com/api/report> and <https://cdn.x.cp.wd.microsoft.com/ping> in a browser.
 
 If you prefer the command line, you can also check the connection by running the following command in Terminal:

defender-office-365/quarantine-faq.yml

@@ -6,7 +6,7 @@ metadata:
   ms.author: chrisda
   author: chrisda
   manager: deniseb
-  ms.date: 11/3/2023
+  ms.date: 08/05/2024
   audience: ITPro
   ms.topic: faq
 
@@ -81,6 +81,9 @@ sections:
 
           If the quarantine policy requires users to request the release of messages or requires admins to release messages, an admin must [approve the release request](quarantine-admin-manage-messages-files.md#approve-or-deny-release-requests-from-users-for-quarantined-email) or [release the message](quarantine-admin-manage-messages-files.md#release-quarantined-email) before the message is available to users.
 
+          You can't customize quarantine policies in preset security policies.
+
+
       - question: |
           What messages can end users access in quarantine?
         answer: |
@@ -93,7 +96,7 @@ sections:
       - question: |
           How can I prevent users from accessing quarantined messages?
         answer: |
-          The default quarantine policy named AdminOnlyAccessPolicy prevents any user interaction with their quarantined messages. By default, this quarantine policy is used for messages that were quarantined as malware or high confidence phishing. In custom policies or the default policy for [protection features that support quarantining messages](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features), admins can specify the AdminOnlyAccessPolicy as the quarantine policy to use.
+          The default quarantine policy named AdminOnlyAccessPolicy prevents any user interaction with their quarantined messages. By default, this quarantine policy is used for messages that were quarantined as malware or high confidence phishing. In custom policies or the default policy for [protection features that support quarantining messages](quarantine-policies.md#step-2-assign-a-quarantine-policy-to-supported-features), admins can specify the AdminOnlyAccessPolicy as the quarantine policy to use. You can prevent end users from accessing `security.microsoft.com/quarantine`.
 
       - question: |
           How do I find out why a message was quarantined?
@@ -111,6 +114,8 @@ sections:
 
           When a message expires from quarantine, you can't recover it.
 
+          By default, messages from blocked senders are hidden from view in quarantine. Users need to select **Filter** and then deselect **Don't show blocked senders** to see all messages coming from blocked senders.
+
       - question: |
           A message was released from quarantine, but the original recipient can't find it. How can I determine what happened to the message?
         answer: |
@@ -121,6 +126,10 @@ sections:
 
             Verify that you aren't using third party filtering before you open a support ticket about these issues.
 
+            If a third party filter isn't preventing the message from reaching the user's Inbox, then admins can use force release functionality to release message (if the first release didn't work).
+
+            Admin should try to release the message to an alternate mailbox if the forced release doesn't work after third party filtering vendor is turned off.
+
           - Inbox rules ([created by users in Outlook](https://support.microsoft.com/office/c24f5dea-9465-4df4-ad17-a50704d66c59) or by admins using the **\*-InboxRule** cmdlets in Exchange Online PowerShell) can move or delete messages from the Inbox.
 
           Admins can use [message trace](message-trace-defender-portal.md) to determine if a released message was delivered to the recipient's Inbox.
@@ -132,13 +141,17 @@ sections:
 
           Verify that you aren't using third party filtering before you open a support ticket about this issue.
 
+          Admins can also use the audit log to see who released a message from Quarantine.
+
       - question: |
           Can I release or report more than one quarantined message at a time?
         answer: |
           In the Microsoft Defender portal, you can select and release up to 100 messages at a time.
 
           Admins can use the [Get-QuarantineMessage](/powershell/module/exchange/get-quarantinemessage) and [Release-QuarantineMessage](/powershell/module/exchange/release-quarantinemessage) cmdlets in Exchange Online PowerShell or standalone EOP PowerShell to find and release quarantined messages in bulk, and to report false positives in bulk.
 
+          Admins can also bulk delete messages.
+
       - question: |
           Are wildcards supported when searching for quarantined messages? Can I search for quarantined messages for a specific domain?
         answer: |
@@ -200,6 +213,8 @@ sections:
 
           Also, the protection policies in [preset security policies](preset-security-policies.md) are always applied _before_ custom protection policies. A user who's defined in the Standard or Strict preset security policy will never get a customized protection policy where the quarantine policy is customized to turn on quarantine notifications. For more information, see [Policy settings in preset security policies](preset-security-policies.md#policy-settings-in-preset-security-policies)
 
+          Quarantine notifications aren't enabled for messages quarantined by Exchange mail flow rules (transport rules) or data loss prevention (DLP). These messages have the AdminOnly quarantine policy. Quarantine notifications are also no generated for messages with DefaultFullAccess quarantine policy.
+
       - question: |
           How do I customize quarantine notifications to add a custom logo?
         answer: |
@@ -210,6 +225,8 @@ sections:
         answer: |
           See the permissions entry [here](quarantine-admin-manage-messages-files.md#what-do-you-need-to-know-before-you-begin).
 
+          Admins can release quarantined messages to external recipients that aren't in their organization.
+
           > [!TIP]
           > The ability to manage quarantined messages using [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) ended in February 2023 per MC447339.
           >
@@ -224,3 +241,37 @@ sections:
           I can't preview a quarantined Microsoft Teams message. What's going on?
         answer: |
           If a user deletes the message from the Teams client, the message is gone, so Preview isn't available in quarantine for the deleted message.
+
+      - question: |
+          I can't see the **Block sender** button or the **Approve release** button. What's going on?
+        answer: |
+          The **Block sender** action is disabled by default for quarantined messages. However, admins can create a custom quarantine policy to include the **Block sender** action for end users.
+
+          The **Approve release** button has been retired and replaced by the **Release** button.
+
+      - question: |
+          **Filter** and **Search** aren't working. What's going on?
+        answer: |
+          The **Search** box applies to loaded quarantine messages only.
+
+          To filter by Internet Message ID, you need to ensure that angle brackets `<>` are always inluded (even in PowerShell).
+
+      - question: |
+          Released quarantine messages are still showing up in Quarantine. What's going on?
+        answer: |
+          Released messages remain visible in quarantine unless they're explicitly deleted from quarantine.
+
+      - question: |
+          Release request alerts aren't being generated. What's going on?
+        answer: |
+          Audit logging needs to be enabled (it's on by default).
+
+      - question: |
+          Duplicate or multiple quarantine notifications are sent to the same user.
+        answer: |
+          Mutiple or duplicate quarantine notifications are sent if the SendFromAliasEnabled paraMETER value is True.
+
+      - question: |
+          I can't see all recipients of a quarantined message. What's going on?
+        answer: |
+          For quarantine messages with a large number of recipients, we don't show all of the recipients. However, admins can use **View message header** or **Preview message** to see all recipients.

defender-xdr/advanced-hunting-query-results.md

@@ -111,6 +111,28 @@ After running a query, select **Export** to save the results to local file. Your
 - **Table view**—The query results are exported in tabular form as a Microsoft Excel workbook
 - **Any chart**—The query results are exported as a JPEG image of the rendered chart
 
+## Filter results
+
+After running a query, select **Filter** to narrow down the results. 
+
+:::image type="content" source="/defender/media/add-filter1.png" alt-text="Screenshot of filters in advanced hunting." lightbox="/defender/media/add-filter1.png":::
+
+To add a filter, select the data you want to filter for by selecting one or more of the check boxes. Then select **Add**.
+
+:::image type="content" source="/defender/media/add-filter2.png" alt-text="Screenshot of filters dropdown in advanced hunting." lightbox="/defender/media/add-filter2.png":::
+
+You can narrow the results down even further to specific data by selecting the newly added filter. 
+
+:::image type="content" source="/defender/media/add-filter3.png" alt-text="Screenshot of new filter pill in advanced hunting." lightbox="/defender/media/add-filter3.png":::
+
+This opens a dropdown showing the possible filters you can use further. Select one or more of the check boxes, then select **Apply**.
+
+:::image type="content" source="/defender/media/add-filter4.png" alt-text="Screenshot of new filter's dropdown in advanced hunting." lightbox="/defender/media/add-filter4.png":::
+
+Confirm that you have added the filters that you wanted by checking the Filters section. 
+
+:::image type="content" source="/defender/media/add-filter5.png" alt-text="Screenshot of filters added advanced hunting." lightbox="/defender/media/add-filter5.png":::
+
 ## Drill down from query results
 
 You can also explore the results in-line with the following features:

defender-xdr/m365d-remediation-actions.md

@@ -16,7 +16,7 @@ ms.collection:
 ms.topic: conceptual
 ms.custom: autoir
 ms.reviewer: evaldm, isco
-ms.date: 02/17/2024
+ms.date: 08/06/2024
 ---
 
 # Remediation actions in Microsoft Defender XDR
@@ -27,7 +27,7 @@ ms.date: 02/17/2024
 
 - Microsoft Defender XDR
 
-During and after an automated investigation in Microsoft Defender XDR, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on identities, accounts, and email content. Automated investigations complete after remediation actions are taken, approved, or rejected.
+During and after an automated investigation in Microsoft Defender XDR, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on identities, accounts, and email content. In addition, some types of remediation actions can occur automatically, whereas other types of remediation actions are taken manually by your organization's security team. When an automated investigation results in one or more remediation actions, the investigation completes only when the remediation actions are taken, approved, or rejected.
 
 > [!IMPORTANT]
 > Whether remediation actions are taken automatically or only upon approval depends on certain settings, such as automation levels. To learn more, see the following articles:

defender-xdr/whats-new.md

@@ -63,7 +63,7 @@ You can also get product updates and important notifications through the [messag
 - (Preview) You can now filter your Microsoft Defender for Cloud alerts by the associated **alert subscription ID** in the Incidents and Alerts queues. For more information, see [Microsoft Defender for Cloud in Microsoft Defender XDR](microsoft-365-security-center-defender-cloud.md).
 
 
-
+- (GA) You can now **[filter your results](advanced-hunting-query-results.md#filter-results)** in advanced hunting so you can narrow down your investigation on specific data you want to focus on.
 
 ## May 2024