Merge pull request #654 from MicrosoftDocs/main

aditisrivastava07 · web-flow · commit 2add3c0244b6 · 2024-06-10T15:30:26.000+05:30
Publish main to live, 06/10, 3:30 PM IST
diff --git a/defender-endpoint/demonstration-behavior-monitoring.md b/defender-endpoint/demonstration-behavior-monitoring.md
@@ -28,27 +28,102 @@ ms.date: 05/15/2024
 - [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)
 - [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)
 
-Behavior Monitoring in Microsoft Defender Antivirus monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on content matching, which identifies known malware patterns, behavior monitoring focuses on observing how software behaves in real-time.
+Behavior monitoring in Microsoft Defender Antivirus monitors process behavior to detect and analyze potential threats based on the behavior of applications, services, and files. Rather than relying solely on content matching, which identifies known malware patterns, behavior monitoring focuses on observing how software behaves in real-time.
 
 ## Scenario requirements and setup
 
-- This demonstration only runs on macOS
+- Windows 11, Windows 10, Windows 8.1, Windows 7 SP1
+
+- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2
+
+- macOS
+
 - [Microsoft Defender Real-time protection is enabled](#verify-microsoft-defender-real-time-protection-is-enabled)
+
 - [Behavior Monitoring is enabled](#enable-behavior-monitoring-for-microsoft-defender-for-endpoint)
 
+## Windows
+
+### Verify Microsoft Defender real-time protection is enabled
+
+To verify real-time protection is enabled, open PowerShell as an administrator, and then run the following command:
+
+```powershell
+get-mpComputerStatus |ft RealTimeProtectionEnabled
+```
+
+When real-time protection is enabled, the result shows a value of `True`.
+
+### Enable Behavior Monitoring for Microsoft Defender for Endpoint
+
+For more information on how to enable Behavior Monitoring for Defender for Endpoint, see [how to enable Behavior Monitoring](/defender-endpoint/behavior-monitor).
+
+### Demonstration of how Behavior Monitoring works in Windows and Windows Server
+
+To demonstrate how Behavior Monitoring blocks a payload, run the following PowerShell command:
+
+```powershell
+powershell.exe -NoExit -Command "powershell.exe hidden 12154dfe-61a5-4357-ba5a-efecc45c34c4"
+```
+
+The output contains an expected error as follows:
+
+```console
+hidden : The term 'hidden' is not recognized as the name of a cmdlet, function, script, script file, or operable program.  Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
+At line:1 char:1
++hidden 12154dfe-61a5-4357-ba5a-efecc45c34c4
++""""""
+CategoryInfo             : ObjectNotFound: (hidden:String) [], CommandNotFoundException
+FullyQualifiedErrorId : CommandNotFoundException
+```
+
+In the Microsoft Defender portal, in the Action center, you should see the following information:
+
+- Windows Security
+- Threats found
+- Microsoft Defender Antivirus found threats. Get details.
+- Dismiss
+
+If you select the link, your Windows Security app opens. Select **Protection history**.
+
+You should see information that resembles the following output:
+
+```console
+Threat blocked
+Detected: Behavior:Win32/BmTestOfflineUI
+Status: Removed
+A threat or app was removed from this device.
+Date: 6/7/2024 11:51 AM
+Details: This program is dangerous and executes command from an attacker.
+Affected items:
+behavior: process: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe, pid:6132:118419370780344
+process: pid:6132,ProcessStart:133621698624737241
+Learn more	Actions
+```
+
+In the [Microsoft Defender portal](https://security.microsoft.com), you should see information like this: 
+
+`Suspicious 'BmTestOfflineUI' behavior was blocked`
+
+When you select it, you see the alert tree that has the following information:
+
+`Defender detected and terminated active 'Behavior:Win32/BmTestOfflineUI' in process 'powershell.exe' during behavior monitoring`
+
+## macOS
+
 ### Verify Microsoft Defender Real-time protection is enabled
 
 To verify real-time protection (RTP) is enabled, open a terminal window and copy and execute the following command:
 
-  ```bash
-  mdatp health --field real_time_protection_enabled
-  ```
+```bash
+mdatp health --field real_time_protection_enabled
+```
 
 When RTP is enabled, the result shows a value of 1.
 
 ### Enable Behavior Monitoring for Microsoft Defender for Endpoint
 
-For more information on how to enable Behavior Monitoring for Defender for Endpoint, see [Deployment instructions](behavior-monitor-macos.md#deployment-instructions).
+For more information on how to enable behavior monitoring for Defender for Endpoint, see [Deployment instructions](behavior-monitor-macos.md#deployment-instructions).
 
 ### Demonstration of how Behavior Monitoring works
 
@@ -63,7 +138,8 @@ To demonstrate how Behavior Monitoring blocks a payload:
    sleep 5
    ```
 
-2. Save as BM_test.sh
+2. Save as `BM_test.sh`.
+
 3. Run the following command to make the bash script executable:
 
    ```bash
@@ -72,30 +148,32 @@ To demonstrate how Behavior Monitoring blocks a payload:
 
 4. Run the bash script:
 
-  ```bash
-  sudo bash BM_test.sh
-  ```
+   ```bash
+   sudo bash BM_test.sh
+   ```
 
-The result shows:
+   The result should look like this
 
-zsh: killed      sudo bash BM_test.sh
+   `zsh: killed      sudo bash BM_test.sh`
 
-The file was quarantined by Defender for Endpoint on macOS. Use the following command to list all the detected threats:
+   The file was quarantined by Defender for Endpoint on macOS. Use the following command to list all the detected threats:
 
-```bash
-mdatp threat list
-```
+   ```bash
+   mdatp threat list
+   ```
 
-The result shows:
+   The result shows information like this:
 
-ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+   ```console
+   ID: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 
-Name: Behavior: MacOS/MacOSChangeFileTest
+   Name: Behavior: MacOS/MacOSChangeFileTest
 
-Type: "behavior"
+   Type: "behavior"
 
-Detection time: Tue May 7 20:23:41 2024
+   Detection time: Tue May 7 20:23:41 2024
 
-Status: "quarantined"
+   Status: "quarantined"
+   ```
 
-If you have Microsoft Defender for Endpoint P2/P1 or Microsoft Defender for Business, go to the [Microsoft Defender XDR portal](https://security.microsoft.com), and you'll see an alert named: "Suspicious 'MacOSChangeFileTest' behavior was blocked."
+If you have Microsoft Defender for Endpoint P2/P1 or Microsoft Defender for Business, go to the [Microsoft Defender portal](https://security.microsoft.com), and you see an alert titled, *Suspicious 'MacOSChangeFileTest' behavior was blocked*.
diff --git a/defender-office-365/air-custom-reporting.md b/defender-office-365/air-custom-reporting.md
@@ -30,8 +30,6 @@ appliesto:
 
 With [Microsoft Defender for Office 365](mdo-about.md), you get [detailed information about automated investigations](air-view-investigation-results.md). However, some organizations also use a custom or third-party reporting solution. If your organization wants to integrate information about [automated investigations](air-about.md) with such a solution, you can use the Office 365 Management Activity API.
 
-With [Microsoft Defender for Office 365](mdo-about.md), you get [detailed information about automated investigations](air-view-investigation-results.md). However, some organizations also use a custom or third-party reporting solution. If your organization wants to integrate information about automated investigations with such a solution, you can use the Office 365 Management Activity API.
-
 |Resource|Description|
 |:---|:---|
 |[Office 365 Management APIs overview](/office/office-365-management-api/office-365-management-apis-overview)|The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Microsoft 365 and Microsoft Entra activity logs.|
diff --git a/defender-xdr/advanced-hunting-cloudappevents-table.md b/defender-xdr/advanced-hunting-cloudappevents-table.md
@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier3
 ms.topic: reference
-ms.date: 12/29/2023
+ms.date: 06/09/2024
 ---
 
 # CloudAppEvents
@@ -65,6 +65,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 | `AdditionalFields` | `dynamic` | Additional information about the entity or event |
 | `LastSeenForUser` | `string` | Shows how many days back the attribute was recently in use by the user in days (i.e. ISP, ActionType etc.)  |
 | `UncommonForUser` | `string` | Lists the attributes in the event that are uncommon for the user, using this data to help rule out false positives and find out anomalies |
+| `AuditSource` | `string` | Audit data source, including one of the following: <br>- Defender for Cloud Apps access control <br>- Defender for Cloud Apps session control <br>- Defender for Cloud Apps app connector |
+| `SessionData` |`dynamic` | The Defender for Cloud Apps session ID for access or session control. For example: `{InLineSessionId:"232342"}` |
 
 ## Apps and services covered
 
