Merge pull request #2373 from MicrosoftDocs/main

Taojunshen · web-flow · commit 2cfa8cbb86d6 · 2025-01-09T07:01:04.000+08:00
1/8/2025 PM Publish
diff --git a/defender-endpoint/linux-install-with-puppet.md b/defender-endpoint/linux-install-with-puppet.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 12/24/2024
+ms.date: 01/08/2025
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux with Puppet
@@ -29,16 +29,10 @@ ms.date: 12/24/2024
 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink)
 
-This article describes how to deploy Defender for Endpoint on Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
-
-- [Download the onboarding package](#download-the-onboarding-package)
-- [Create Puppet manifest](#create-a-puppet-manifest)
-- [Deployment (include the manifest inside the site.pp file)](#include-the-manifest-inside-the-sitepp-file)
-- [Monitor your Puppet deployment](#monitor-puppet-deployment)
+This article describes how to deploy Defender for Endpoint on Linux using Puppet. 
 
 [!INCLUDE [Microsoft Defender for Endpoint third-party tool support](../includes/support.md)]
 
-
 ## Prerequisites and system requirements
 
  For a description of prerequisites and system requirements, see [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md).
@@ -70,9 +64,9 @@ Download the onboarding package from Microsoft Defender portal.
    inflating: mdatp_onboard.json
    ```
 
-## Create a Puppet manifest
+## Create a directory
 
-You need to create a Puppet manifest for deploying Defender for Endpoint on Linux to devices managed by a Puppet server. This example makes use of the `apt` and `yumrepo` modules available from `puppetlabs`, and assumes that the modules are installed on your Puppet server.
+You need to create a directory for deploying Defender for Endpoint on Linux to devices managed by a Puppet server. This example makes use of the `apt` and `yumrepo` modules available from `puppetlabs`, and assumes that the modules are installed on your Puppet server.
 
 1. Under the **modules** folder if your Puppet installation, create the folders `install_mdatp/files` and `install_mdatp/manifests`. The **modules** folder is typically located at `/etc/puppetlabs/code/environments/production/modules` on your Puppet server. 
 
@@ -100,7 +94,7 @@ You need to create a Puppet manifest for deploying Defender for Endpoint on Linu
        └── init.pp
    ```
 
-## Create a manifest file
+## Create a Puppet manifest file
 
 There are two ways to create a manifest file:
 
@@ -157,8 +151,8 @@ class install_mdatp (
 
 }
 ```
->[!NOTE]
->Installer script also supports other parameters such as channel, realtime protection, version, etc. To select from the list of available options, check help.
+> [!NOTE]
+> The installer script also supports other parameters such as channel, realtime protection, version, etc. To select from the list of available options, check help.
 >`./mde_installer.sh --help`
 
 #### Create a manifest to deploy Defender for Endpoint by configuring repositories manually
@@ -265,7 +259,6 @@ class install_mdatp (
 
 > [!NOTE]
 > Defender for Endpoint on Linux can be deployed from one of the following channels: **insiders-fast, insiders-slow, prod**. Each channel corresponds to a Linux software repository. The choice of the channel determines the type and frequency of the updates that are offered to your device. Devices in `insiders-fast` are the first ones to receive updates and new features in preview, followed by `insiders-slow`, and lastly by `prod`.
->
 > Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/[distro]/[version]`.
 
 > [!Warning]
@@ -287,7 +280,7 @@ node "default" {
 
 Enrolled agent devices periodically poll the Puppet Server and install new configuration profiles and policies as soon as they're detected.
 
-## Monitor Puppet deployment
+## Monitor your Puppet deployment
 
 On the agent device, you can also check the deployment status by running the following command:
 
@@ -327,10 +320,10 @@ To get support from Microsoft, raise a support ticket and provide log files by u
 
 ## How to configure policies for Microsoft Defender on Linux
 
-You can configure antivirus and EDR settings on your endpoints using following methods:
+You can configure antivirus and EDR settings on your endpoints. For more information, see the following articles:
 
-- See [Set preferences for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-preferences) to learn more about the available settings 
-- See [security settings management](/mem/intune/protect/mde-security-integration) to configure settings in the Microsoft Defender portal.
+- [Set preferences for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-preferences) describes the available settings 
+- [Security settings management](/mem/intune/protect/mde-security-integration) describes how to configure settings in the Microsoft Defender portal.
 
 ## Operating system upgrades
 
diff --git a/defender-endpoint/run-analyzer-linux.md b/defender-endpoint/run-analyzer-linux.md
@@ -9,7 +9,7 @@ ms.service: defender-endpoint
 ms.subservice: linux
 ms.localizationpriority: medium
 ms.topic: troubleshooting-general
-ms.date: 11/01/2024
+ms.date: 01/08/2024
 ms.custom: partner-contribution
 ms.collection:
 - m365-security
@@ -189,7 +189,7 @@ This section provides instructions on how to run the tool locally on the Linux m
 
 ### Run the binary version of the client analyzer
 
-#### Summary:
+#### Summary
 
 1. Obtain from [https://go.microsoft.com/fwlink/?linkid=2297517](https://go.microsoft.com/fwlink/?linkid=2297517). Or, if your Linux server has internet access use `wget` to download the file:
 
@@ -215,7 +215,7 @@ This section provides instructions on how to run the tool locally on the Linux m
 
 6. Upload the file for the support engineer.
 
-#### Details:
+#### Details
 
 1. Download the [XMDE Client Analyzer Binary](https://go.microsoft.com/fwlink/?linkid=2297517) tool to the Linux machine you need to investigate.
 
@@ -262,7 +262,7 @@ This section provides instructions on how to run the tool locally on the Linux m
    sudo ./MDESupportTool -d
    ```
 
-## Rung the Python-based client analyzer
+## Run the Python-based client analyzer
 
 > [!NOTE]
 > - The analyzer depends on few extra PIP packages (`decorator`, `sh`, `distro`, `lxml`, and `psutil`) which are installed in the operating system when in root to produce the result output. If not installed, the analyzer attempts to fetch it from the [official repository for Python packages](https://pypi.org/search/?q=lxml).
@@ -344,7 +344,8 @@ Use the following command to get the machine diagnostic.
 
 Usage example: `sudo ./MDESupportTool -d`
 
-NOTE: The log level autoreset feature only available in 2405 or newer client version.
+> [!NOTE]
+> The log level autoreset feature only available in 2405 or newer client version.
 
 ### Positional arguments
 
@@ -363,7 +364,7 @@ Usage example: `sudo ./MDESupportTool performance --frequency 2`
 
 #### Exclude mode
 
-Add exclusions for audit-d monitoring.
+Add exclusions for auditd monitoring.
 
 > [!NOTE]
 > This functionality exists for Linux only.
@@ -442,12 +443,33 @@ Usage example: `sudo ./mde_support_tool.sh skipfaultyrules -e true`
 ## See also
 
 - [Client analyzer overview](overview-client-analyzer.md)
+
 - [Download and run the client analyzer](download-client-analyzer.md)
+
 - [Run the client analyzer on Windows](run-analyzer-windows.md)
+
 - [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md)
+
 - [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
+
 - [Understand the analyzer HTML report](analyzer-report.md)
 
+#### Defender for Endpoint on Linux troubleshooting documents
+
+- [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-install)
+
+- [Investigate agent health issues](/defender-endpoint/health-status)
+
+- [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-connectivity)
+
+- [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-perf)
+
+- [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-events)
+
+- [Address false positives/negatives in Microsoft Defender for Endpoint](/defender-endpoint/defender-endpoint-false-positives-negatives)
+
+ 
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
 
 
diff --git a/defender-endpoint/run-analyzer-macos.md b/defender-endpoint/run-analyzer-macos.md
@@ -9,7 +9,7 @@ ms.service: defender-endpoint
 ms.subservice: macos
 ms.localizationpriority: medium
 ms.topic: troubleshooting-general
-ms.date: 01/06/2025
+ms.date: 01/08/2025
 ms.custom: partner-contribution
 ms.collection:
 - m365-security
@@ -62,7 +62,7 @@ If you're experiencing reliability or device health issues with Microsoft Defend
    - `SupportToolLinuxBinary.zip`: For all Linux devices
    - `SupportToolMacOSBinary.zip`: For Mac devices
 
-1. Unzip the SupportToolMacOSBinary.zip. 
+5. Unzip the SupportToolMacOSBinary.zip. 
 
    ```bash
     unzip -q SupportToolMacOSBinary.zip
@@ -91,40 +91,40 @@ The tool currently requires Python version 3 or later to be installed on your de
    wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer
       ```
       
-1. Verify the download. 
+2. Verify the download. 
 
    | OS | Command |
    |--|--|
    | Linux | `echo '84C9718FF3D29DA0EEE650FB2FC0625549A05CD1228AC253DBB92C8B1D9F1D11 XMDEClientAnalyzer.zip'| sha256sum -c` |
    | macOS | `echo '84C9718FF3D29DA0EEE650FB2FC0625549A05CD1228AC253DBB92C8B1D9F1D11  XMDEClientAnalyzer.zip'| shasum -a 256 -c` |
    
-1. Extract the contents of `XMDEClientAnalyzer.zip` on the machine. 
+3. Extract the contents of `XMDEClientAnalyzer.zip` on the machine. 
 
    If you're using a terminal, extract the files by using the following command:
    
    ```bash
    unzip -q XMDEClientAnalyzer.zip -d XMDEClientAnalyzer
    ```
    
-1. Change directory to the extracted location.
+4. Change directory to the extracted location.
 
    ```bash
    cd XMDEClientAnalyzer
    ```
    
-1. Give the tool executable permission:
+5. Give the tool executable permission:
 
    ```bash
    chmod a+x mde_support_tool.sh
    ```
    
-1. Run as a nonroot user to install required dependencies:
+6. Run as a nonroot user to install required dependencies:
 
    ```bash
    ./mde_support_tool.sh
    ```
    
-1. When you download files on macOS, it automatically adds a new extended attribute called com.apple.quarantine which is scanned by Gatekeeper.  Before running, you will want to remove this extended attribute:
+7. When you download files on macOS, it automatically adds a new extended attribute called com.apple.quarantine which is scanned by Gatekeeper.  Before running, you will want to remove this extended attribute:
 
    ```bash
    xattr -c MDESupportTools
@@ -136,7 +136,7 @@ The tool currently requires Python version 3 or later to be installed on your de
 
       Apple could not verify "MDESupportTool" is free of malware that may harm your Mac or compromise your privacy"
 
-1. To collect actual diagnostic package and generate the result archive file, run again as root:
+8. To collect actual diagnostic package and generate the result archive file, run again as root:
 
    ```bash
    sudo ./mde_support_tool.sh -d
@@ -168,7 +168,8 @@ Use the following command to get the machine diagnostic.
 
 Usage example: `sudo ./MDESupportTool -d`
 
-NOTE: The log level autoreset feature only available in 2405 or newer client version.
+> [!NOTE]
+> The log level autoreset feature is only available in 2405 or newer client version.
 
 ### Positional arguments
 
@@ -218,4 +219,22 @@ Usage example `./mde_support_tool.sh trace --length 5`
 | `Audited_info.txt` | Details on audited service and related components for [Linux](linux-resources.md) OS. |
 | `perf_benchmark.tar.gz` | The performance test reports. You see this file only if you're using the performance parameter. |
 
+## See also
+
+### Defender for Endpoint on macOS troubleshooting
+
+[Troubleshooting mode in Microsoft Defender for Endpoint on macOS](/defender-endpoint/mac-troubleshoot-mode)
+
+[Troubleshoot installation issues for Microsoft Defender for Endpoint on macOS](/defender-endpoint/mac-support-install)
+
+[Troubleshoot license issues for Microsoft Defender for Endpoint on macOS](/defender-endpoint/mac-support-license)
+
+[Troubleshoot system extension issues in Microsoft Defender for Endpoint on macOS](/defender-endpoint/mac-support-sys-ext)
+
+[Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS](/defender-endpoint/troubleshoot-cloud-connect-mdemac)
+
+[Overview for how to troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](/defender-endpoint/mac-support-perf-overview)
+
+[Address false positives/negatives in Microsoft Defender for Endpoint](/defender-endpoint/defender-endpoint-false-positives-negatives)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
diff --git a/defender-xdr/microsoft-sentinel-onboard.md b/defender-xdr/microsoft-sentinel-onboard.md
@@ -22,7 +22,7 @@ search.appverid:
 appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
-ms.date: 12/02/2024
+ms.date: 01/08/2025
 ---
 
 # Connect Microsoft Sentinel to the Microsoft Defender portal
@@ -85,14 +85,7 @@ To connect a Microsoft Sentinel workspace to the Defender portal, complete the f
 1. In the Defender portal, select **Overview**.
 1. Select **Connect a workspace**.
 1. Choose the workspace you want to connect and select **Next**.
-1. Read and understand the product changes associated with connecting your workspace. These changes include:
-
-   - Incidents are no longer created by Microsoft Sentinel. They're now created by the correlation engine in the Microsoft Defender portal. This change is reflected in the incident's "incident provider name" field, which now reads "Microsoft Defender XDR."
-   - Therefore, any active [Microsoft security incident creation rules](/azure/sentinel/threat-detection#microsoft-security-rules) are deactivated to avoid creating duplicate incidents. The incident creation settings in other types of analytics rules remain as they were, but those settings are implemented in the Defender portal, not in Microsoft Sentinel.
-   - Log tables, queries, and functions in the Microsoft Sentinel workspace are also available in advanced hunting within the Defender portal.
-   - The Microsoft Sentinel Contributor role is assigned to the Microsoft Threat Protection and WindowsDefenderATP apps within the subscription.
-   - All alerts related to Defender XDR products are streamed directly from the main Defender XDR data connector to ensure consistency. Make sure you have incidents and alerts from this connector turned on in the workspace.
-
+1. Read and understand the product changes associated with connecting your workspace. 
 1. Select **Connect**.
 
 After your workspace is connected, the banner on the **Overview** page shows that your environment is ready. The **Overview** page is updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules.
