Merge pull request #3649 from MicrosoftDocs/main

[AutoPublish] main to live - 05/02 15:32 PDT | 05/03 04:02 IST

Author: Ruchika-mittal01

defender-endpoint/TOC.yml

@@ -252,14 +252,14 @@
                 href: manage-sys-extensions-using-jamf.md
               - name: Manual deployment
                 href: manage-sys-extensions-manual-deployment.md
-            
+           
         - name: Defender for Endpoint on Linux
           items:
           - name: Deploy Defender for Endpoint on Linux
             items:
-            - name: 1 - Prerequisites
+            - name: Prerequisites
               href: mde-linux-prerequisites.md
-            - name: 2 - Choose a deployment method
+            - name: Choose a deployment method
               items:
               - name: Installer script based deployment
                 href: linux-installer-script.md
@@ -277,28 +277,28 @@
                 href: /azure/defender-for-cloud/onboard-machines-with-defender-for-endpoint?toc=/defender-endpoint/toc.json&bc=/defender-endpoint/breadcrumb/toc.json
               - name: Deployment guidance for Defender for Endpoint on Linux for SAP
                 href: mde-linux-deployment-on-sap.md
-            - name: 3 - Configuration
+          - name: Configure Defender for Endpoint on Linux
+            items:
+            - name: Configure security policies and settings
+              href: linux-preferences.md
+            - name: Static proxy configuration
+              href: linux-static-proxy-configuration.md
+            - name: Configure antivirus scans
               items:
-              - name: Configure security policies and settings
-                href: linux-preferences.md
-              - name: Static proxy configuration
-                href: linux-static-proxy-configuration.md
-              - name: Configure antivirus scans
-                items:
-                - name: Schedule antivirus scans using Anacron
-                  href: schedule-antivirus-scan-anacron.md
-                - name: Schedule antivirus scans using Crontab
-                  href: schedule-antivirus-scan-crontab.md
-              - name: Network protection for Linux
-                href: network-protection-linux.md
-              - name: Configure and validate exclusions on Linux
-                href: linux-exclusions.md
-              - name: Configure eBPF-based sensor
-                href: linux-support-ebpf.md 
-              - name: Detect and block Potentially Unwanted Applications
-                href: linux-pua.md
-              - name: Configure Offline Security Intelligence Update
-                href: linux-support-offline-security-intelligence-update.md
+              - name: Schedule antivirus scans using Anacron
+                href: schedule-antivirus-scan-anacron.md
+              - name: Schedule antivirus scans using Crontab
+                href: schedule-antivirus-scan-crontab.md
+            - name: Network protection for Linux
+              href: network-protection-linux.md
+            - name: Configure and validate exclusions on Linux
+              href: linux-exclusions.md
+            - name: Configure eBPF-based sensor
+              href: linux-support-ebpf.md 
+            - name: Detect and block Potentially Unwanted Applications
+              href: linux-pua.md
+            - name: Configure Offline Security Intelligence Update
+              href: linux-support-offline-security-intelligence-update.md
           - name: Update Defender for Endpoint on Linux
             items: 
             - name: Update Defender for Endpoint on Linux
@@ -307,7 +307,7 @@
               href: linux-update-mde-linux.md
           - name: Privacy for Defender for Endpoint on Linux
             href: linux-privacy.md
-          - name: Resources for Microsoft Defender for Endpoint on Linux
+          - name: Additional resources for Defender for Endpoint on Linux
             href: linux-resources.md
         - name: Mobile Threat Defense
           items:

defender-endpoint/defender-endpoint-plan-1.md

@@ -10,7 +10,7 @@ ms.topic: overview
 ms.service: defender-endpoint
 ms.subservice: onboard
 ms.localizationpriority: medium
-ms.date: 02/13/2025
+ms.date: 05/02/2025
 ms.reviewer: shlomiakirav
 f1.keywords: NOCSH
 ms.collection: 
@@ -83,23 +83,14 @@ To learn more, see the following articles:
 
 Your organization's attack surfaces are all the places where you're vulnerable to cyberattacks. With Defender for Endpoint Plan 1, you can reduce your attack surfaces by protecting the devices and applications that your organization uses. The attack surface reduction capabilities that are included in Defender for Endpoint Plan 1 are described in the following sections.
 
-- [Overview of Microsoft Defender for Endpoint Plan 1](#overview-of-microsoft-defender-for-endpoint-plan-1)
-  - [Defender for Endpoint Plan 1 capabilities](#defender-for-endpoint-plan-1-capabilities)
-  - [Next-generation protection](#next-generation-protection)
-  - [Manual response actions](#manual-response-actions)
-  - [Attack surface reduction](#attack-surface-reduction)
-    - [Attack surface reduction rules](#attack-surface-reduction-rules)
-    - [Ransomware mitigation](#ransomware-mitigation)
-    - [Device control](#device-control)
-    - [Web protection](#web-protection)
-    - [Network protection](#network-protection)
-    - [Network firewall](#network-firewall)
-    - [Application control](#application-control)
-  - [Centralized management](#centralized-management)
-    - [Role-based access control](#role-based-access-control)
-    - [Reporting](#reporting)
-    - [APIs](#apis)
-  - [Next steps](#next-steps)
+- [Attack surface reduction](#attack-surface-reduction)
+- [Attack surface reduction rules](#attack-surface-reduction-rules)
+- [Ransomware mitigation](#ransomware-mitigation)
+- [Device control](#device-control)
+- [Web protection](#web-protection)
+- [Network protection](#network-protection)
+- [Network firewall](#network-firewall)
+- [Application control](#application-control)
 
 To learn more about attack surface reduction capabilities in Defender for Endpoint, see [Overview of attack surface reduction](overview-attack-surface-reduction.md).
 
@@ -191,17 +182,17 @@ With the Defender for Endpoint APIs, you can automate workflows and integrate wi
 
 To learn more, see [Defender for Endpoint APIs](api/management-apis.md). 
 
-- **Microsoft Defender for Servers Plan 1 or Plan 2** (*recommended for enterprise customers*) as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more. see [Overview of Microsoft Defender for Servers](/azure/defender-for-cloud/defender-for-servers-introduction).
-- **Microsoft Defender for Endpoint Server** (*recommended for enterprise customers*). To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).
-- **Microsoft Defender for Business servers** (*for small and medium-sized businesses who have [Microsoft Defender for Business](/defender-business/mdb-overview)*). To learn more, see [How to get Microsoft Defender for Business servers](/defender-business/get-defender-business#how-to-get-microsoft-defender-for-business-servers).
-
-See [Microsoft licensing and product terms](https://www.microsoft.com/en-us/licensing/product-licensing/products).
-
 ## Next steps
 
 - [Set up and configure Defender for Endpoint Plan 1](mde-p1-setup-configuration.md)
+
+## Related content
+
 - [Get started with Defender for Endpoint Plan 1](mde-plan1-getting-started.md)
 - [Manage Defender for Endpoint Plan 1](preferences-setup.md)
 - [Learn about exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
+- [Onboard client devices running Windows or macOS to Microsoft Defender for Endpoint](onboard-client.md)
+- [Onboard servers through Microsoft Defender for Endpoint's onboarding experience](onboard-server.md)
+- [Microsoft Defender for Endpoint - Mobile Threat Defense](mtd.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/mac-install-manually.md

@@ -16,7 +16,7 @@ ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 ms.subservice: macos
 search.appverid: met150
-ms.date: 04/16/2025
+ms.date: 05/01/2025
 ---
 
 # Manual deployment for Microsoft Defender for Endpoint on macOS
@@ -33,7 +33,7 @@ ms.date: 04/16/2025
 This article describes how to deploy Microsoft Defender for Endpoint on macOS manually. A successful deployment requires the completion of all of the following steps:
 
 - [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions)
+- [Application installation (macOS 13 and newer versions)](#application-installation-macos-13-and-newer-versions)
 - [Onboarding Package](#onboarding-package)
 - [Grant Full Disk Access](#allow-full-disk-access)
 - [Ensure Background Execution](#background-execution)
@@ -64,23 +64,23 @@ Download the installation and onboarding packages from Microsoft Defender portal
 
 6. Copy the *wdav.pkg* and *MicrosoftDefenderATPOnboardingMacOs.sh* to the device where you want to deploy the Microsoft Defender for Endpoint on macOS.
 
-## Application installation (macOS 11 and newer versions)
+## Application installation (macOS 13 and newer versions)
 
 To complete this process, you must have admin privileges on the device.
 
 1. Do one of the following steps:
 
-   - Navigate to the downloaded *wdav.pkg* in **Finder** and open it.
+- Navigate to the downloaded *wdav.pkg* in **Finder** and open it.
 
    Or
 
-   - You can download the *wdav.pkg*- from **Terminal**
-
+   - You can download the *wdav.pkg*- from **Terminal**.
+   
      ```console
-     sudo installer -store -pkg /Users/admin/Downloads/wdav.pkg -target /
+     sudo installer -pkg /Users/admin/Downloads/wdav.pkg -target /
      ```
-
-   :::image type="content" source="media/monterey-install-1.png" alt-text="Screenshot that shows the installation process for the application":::
+     
+      :::image type="content" source="media/monterey-install-1.png" alt-text="Screenshot that shows the installation process for the application.":::
 
 2. Select **Continue**.
 
@@ -111,7 +111,7 @@ To complete this process, you must have admin privileges on the device.
 
 9. Select **Install Software**.
 
-10. At the end of the installation process, for macOS Big Sur (11.0) or latest version, you're prompted to approve the system extensions used by the product. Select **Open Security Preferences**.
+10. At the end of the installation process, for macOS Ventura (13.0) or latest version, you're prompted to approve the system extensions used by the product. Select **Open Security Preferences**.
 
     :::image type="content" source="media/monterey-install-2.png" alt-text="Screenshot that shows the system extension approval":::
 

defender-vulnerability-management/fixed-reported-inaccuracies.md

@@ -14,7 +14,7 @@ ms.collection:
 - tier2
 ms.localizationpriority: medium
 ms.topic: troubleshooting
-ms.date: 04/10/2025
+ms.date: 05/02/2025
 ---
 
 # Vulnerability support in Microsoft Defender Vulnerability Management
@@ -33,6 +33,21 @@ This article provides information on inaccuracies that have been reported. You c
  
 The following tables present the relevant vulnerability information organized by month.
 
+## April 2025
+
+| Inaccuracy report ID | Description | Fix date |
+|---|---|---|
+| 86936 | Defender Vulnerability Management doesn't currently support Trimble SketchUp | 22-Apr-25 |
+| - | Defender Vulnerability Management doesn't currently support CVE-2024-30098 | 22-Apr-25 |
+| - | Defender Vulnerability Management doesn't currently support CVE-2025-20206 | 22-Apr-25 |
+| 57842 | Fixed inaccurate detections in Snow Inventory Agent | 23-Apr-25 |
+| 92184 | Fixed inaccurate detections in Amazon Send to Kindle | 23-Apr-25 |
+| 91112 | Fixed incorrect detections in Vendor- Jabra | 23-Apr-25 |
+| 88590 | Fixed incorrect detections in Vendor- PDF Exchange Editor | 23-Apr-25 |
+| - | Fixed inaccuracy in Mattermost Desktop vulnerability- CVE-2023-5920 | 24-Apr-25 |
+| - | Fixed inaccuracy in OpenSSL vulnerabilities- CVE-2024-9143, CVE-2024-13176 & CVE-2024-12797 | 24-Apr-25 |
+| 94679 | Fixed inaccuracy in Secure Client by adding 1.0 as invalid version | 29-Apr-25 |
+
 ## March 2025
 
 | Inaccuracy report ID | Description | Fix date |
@@ -65,7 +80,7 @@ The following tables present the relevant vulnerability information organized by
 | 89577 | Fixed inaccuracy in Gog Galaxy vulnerability - CVE-2023-50915 | 16-Feb-25 |
 | - | Fixed inaccuracy in 6 HP Firmware Vulnerabilities | 16-Feb-25 |
 | 93100 | Fixed inaccuracy in Python CVE-2024-12254 | 16-Feb-25 |
-| - | Fixed inaccuracy in Corel WinZip vulnerbility - CVE-2024-8811 | 23-Feb-25 |
+| - | Fixed inaccuracy in Corel WinZip vulnerability - CVE-2024-8811 | 23-Feb-25 |
 | - | Fixed inaccuracy in Palo Alto Networks GlobalProtect | 26-Feb-25 |
 | - | Fixed inaccuracy in RTT PDF Explorer | 26-Feb-25 |
 | 89928 | Fixed inaccurate detections of Python by excluding invalid paths - "incontrol.exe" and "proccess_comuniccao.exe" | 26-Feb-25 |

defender-xdr/advanced-hunting-limits.md

@@ -18,7 +18,7 @@ ms.custom:
 - cx-ti
 - cx-ah
 ms.topic: how-to
-ms.date: 10/29/2024
+ms.date: 05/02/2025
 ---
 
 # Use the advanced hunting query resource report
@@ -43,6 +43,8 @@ Refer to the following table to understand existing quotas and usage parameters.
 
 In the unified Microsoft Defender portal, you are able to run queries over Microsoft Sentinel tables by onboarding a workspace. [Log analytics workspace limits](/azure/azure-monitor/service-limits#log-analytics-workspaces) therefore also apply. 
 
+For advanced hunting in multitenant organizations, see [Quotas in advanced hunting in multitenant management](/unified-secops-platform/mto-advanced-hunting#quotas).
+
 > [!NOTE]
 > A separate set of quotas and parameters apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](./api-advanced-hunting.md) 
 

defender-xdr/custom-detection-rules.md

@@ -22,7 +22,7 @@ appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
 ms.topic: how-to
-ms.date: 02/10/2025
+ms.date: 05/02/2025
 ---
 
 # Create and manage custom detections rules
@@ -75,13 +75,14 @@ In the Microsoft Defender portal, go to **Advanced hunting** and select an exist
 
 
 To create a custom detection rule, the query must return the following columns:
-1. `Timestamp` - Used to set the timestamp for generated alerts
-2. A column or combination of columns that uniquely identify the event in Defender XDR tables:
+1. `Timestamp` - This column is used to set the timestamp for generated alerts. The `Timestamp` that is returned from the query should not have been manipulated in the query and should be returned exactly as it appears in the raw event.
+   
+3. A column or combination of columns that uniquely identify the event in Defender XDR tables:
       - For Microsoft Defender for Endpoint tables, the `Timestamp`, `DeviceId`, and `ReportId` columns must appear in the same event
       - For Alert* tables, `Timestamp` must appear in the event
       - For Observation* tables, `Timestamp`and `ObservationId` must appear in the same event
       - For all others, `Timestamp` and `ReportId` must appear in the same event
-3. One of the following columns that contain a strong identifier for an impacted asset:
+4. One of the following columns that contain a strong identifier for an impacted asset:
       - `DeviceId`
       - `DeviceName`
       - `RemoteDeviceName`
@@ -99,6 +100,8 @@ To create a custom detection rule, the query must return the following columns:
 > [!NOTE]
 > Support for more entities will be added as new tables are added to the [advanced hunting schema](advanced-hunting-schema-tables.md).
 
+
+
 Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
 
 There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by entity under a column such as `DeviceId`, you can still return `Timestamp` and `ReportId` by getting it from the most recent event involving each unique `DeviceId`.