Merge branch 'main' into ASTQR-chrisda

Author: chrisda

defender-endpoint/android-configure.md

@@ -61,36 +61,32 @@ Network protection in Microsoft Defender for endpoint is disabled by default. Ad
 
 1. In the Microsoft Intune admin center, navigate to Apps > App configuration policies. Create a new App configuration policy.
 
-    > [!div class="mx-imgBorder"]
-    > ![Image of how to create a policy.](media/android-mem.png)
-
+> [!div class="mx-imgBorder"]
 1. Provide a name and description to uniquely identify the policy. Select **'Android Enterprise'** as the platform and **'Personally-owned work profile only'** as the profile type and **'Microsoft Defender'** as the Targeted app.
 
-    > [!div class="mx-imgBorder"]
-    > ![Image of policy details.](media/appconfigdetails.png)
-
+      > [!div class="mx-imgBorder"]
+   > ![Screenshot of policy details.](media/appconfigdetails.png)
+   
 1. In Settings page, select **'Use configuration designer'** and add **'Enable Network Protection in Microsoft Defender'** as the key and value as **'1'** to enable Network Protection. (Network protection is disabled by default)
 
-    > [!div class="mx-imgBorder"]
-    > ![Image of how to select enable network protection policy](media/selectnp.png)
-
-    > [!div class="mx-imgBorder"]
-    > ![Image of add configuration policy.](media/npvalue.png)
-
+      > [!div class="mx-imgBorder"]
+   > ![Screenshot of how to select enable network protection policy](media/selectnp.png)
+   
+      > [!div class="mx-imgBorder"]
+   > ![Screenshot of add configuration policy.](media/npvalue.png)
+   
 1. If your organization uses root CAs that are private, you must establish explicit trust between Intune (MDM solution) and user devices. Establishing trust helps prevent Defender from flagging root CAs as rogue certificates.
 
     To establish trust for the root CAs, use **'Trusted CA certificate list for Network Protection'** as the key. In the value, add the **'comma separated list of certificate thumbprints (SHA 1)'**.
 
     **Example of Thumbprint format to add**: `50 30 06 09 1d 97 d4 f5 ae 39 f7 cb e7 92 7d 7d 65 2d 34 31, 503006091d97d4f5ae39f7cbe7927d7d652d3431`
 
-   > [!IMPORTANT]
+      > [!IMPORTANT]
    > Certificate SHA-1 Thumbprint characters should be with either white space separated, or non separated.
    >
    > This format is invalid: `50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31`
 
-   Any other separation characters are invalid.
-
-   > ![Image of trusted CA certificate.](media/trustca.png)
+      Any other separation characters are invalid.
 
 1. For other configurations related to Network protection, add the following keys and appropriate corresponding value.
 
@@ -119,26 +115,6 @@ Network protection in Microsoft Defender for endpoint is disabled by default. Ad
 
 > [!NOTE]
 > Users need to enable location permission (which is an optional permission); this enables Defender for Endpoint to scan their networks and alert them when there are WIFI-related threats. If the location permission is denied by the user, Defender for Endpoint will only be able to provide limited protection against network threats and will only protect the users from rogue certificates.
-
-## Configure Low Touch Onboarding
-
-Admins can configure Microsoft Defender for Endpoint in low touch onboarding mode. In this scenario, administrators creates a deployment profile and the user is simply required to provide a reduced set of permissions to complete onboarding. 
-
-Android low touch onboarding is disabled by default. Admins can enable it through app configuration policies on Intune by following these steps:
-
-1.	Push the Defender app to target user group by following these [steps](android-intune.md#add-microsoft-defender-for-endpoint-on-android-as-a-managed-google-play-app).
-2.	Push a VPN profile to the user's device by following the instructions [here](android-intune.md#auto-setup-of-always-on-vpn).
-3.	In Apps > Application configuration policies, select Managed Devices.
-4.	Provide a name to uniquely identify the policy. Select 'Android Enterprise' as the Platform, the required Profile type and 'Microsoft Defender: Antivirus' as the targeted app. Click on Next.
-5.	Add runtime permissions. Select Location access (fine)(This permission is not supported for Android 13 and above), POST_NOTIFICATIONS and change the Permission state to 'Auto grant'.
-6.	Under configuration settings, select 'Use Configuration designer' and click on Add.
-7.	Select Low touch onboarding and User UPN. For User UPN, change the Value type to 'Variable' and Configuration value to 'User Principal Name' from the drop down Enable Low touch onboarding by changing the configuration value to 1.
-    >[!div class="mx-imgBorder"]
-    >![Image of low touch onboarding configuration policy.](media/low-touch-user-upn.png)
-
-8.	Assign the policy to the target user group.
-9.	Review and create the policy.
-
 ## Privacy Controls
 
 Following privacy controls are available for configuring the data that is sent by Defender for Endpoint from Android devices:
@@ -347,11 +323,11 @@ Use the following steps to configure the Device tags:
 5. Click Next and assign this policy to targeted devices and users.
 
 
-> [!NOTE] 
+> [!NOTE]
 > The Defender app needs to be opened for tags to be synced with Intune and passed to Security Portal. It may take up to 18 hours for tags to reflect in the portal.
-
 ## Related articles
 
 - [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md)
+
 - [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md)
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/api/get-all-vulnerabilities.md

@@ -94,21 +94,22 @@ Here is an example of the response.
     "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities",
     "value": [
         {
-            "id": "CVE-2019-0608",
-            "name": "CVE-2019-0608",
-            "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
-            "severity": "Medium",
-            "cvssV3": 4.3,
+            "id": "CVE-2024-7256",
+            "name": "CVE-2024-7256",
+            "description": "Summary: Google Chrome is vulnerable to a security bypass due to insufficient data validation in Dawn. An attacker can exploit this vulnerability by tricking a user into visiting a malicious website, allowing them to bypass security restrictions. Impact: If successfully exploited, this vulnerability could allow a remote attacker to bypass security restrictions in Google Chrome. Remediation: Apply the latest patches and updates provided by the respective vendors. Generated by AI",
+            "severity": "High",
+            "cvssV3": 8,
             "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
-            "exposedMachines": 4,
-            "publishedOn": "2019-10-08T00:00:00Z",
-            "updatedOn": "2019-12-16T16:20:00Z",
+            "exposedMachines": 23,
+            "publishedOn": "2024-07-30T00:00:00Z",
+            "updatedOn": "2024-07-31T00:00:00Z",
+            "firstDetected": "2024-07-31T01:55:47Z",
             "publicExploit": false,
             "exploitVerified": false,
             "exploitInKit": false,
             "exploitTypes": [],
             "exploitUris": [],
-            "CveSupportability": "supported",
+            "cveSupportability": "Supported",
             "tags": [],
             "epss": 0.632
         }

defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md

@@ -9,7 +9,7 @@ ms.reviewer: mkaminska, yongrhee
 manager: deniseb
 ms.subservice: ngp
 ms.topic: conceptual
-ms.date: 02/18/2024
+ms.date: 08/20/2024
 ms.collection: 
 - m365-security
 - tier2
@@ -54,37 +54,25 @@ Microsoft Defender Antivirus and cloud protection automatically block most new,
 
 3. High-precision antivirus, detecting common malware through generic and heuristic techniques.
 
-1. Advanced cloud-based protection is provided for cases when Microsoft Defender Antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.
+4. Advanced cloud-based protection is provided for cases when Microsoft Defender Antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.
 
    1. In the event Microsoft Defender Antivirus can't make a clear determination, file metadata is sent to the cloud protection service. Often within milliseconds, the cloud protection service can determine based on the metadata as to whether the file is malicious or not a threat.  
 
       - The cloud query of file metadata can be a result of behavior, mark of the web, or other characteristics where a clear verdict isn't determined.
-      - A small metadata payload is sent, with the goal of reaching a verdict of malware or not a threat. The metadata doesn't include personally identifiable information (PII). Information such as filenames, are hashed.
+      - A small metadata payload is sent, with the goal of reaching a verdict of malware or not a threat. The metadata doesn't include personal data, such as personally identifiable information (PII). Information such as filenames, are hashed.
       - Can be synchronous or asynchronous. For synchronous, the file won't open until the cloud renders a verdict. For asynchronous, the file opens while cloud protection performs its analysis.
       - Metadata can include PE attributes, static file attributes, dynamic and contextual attributes, and more (see [Examples of metadata sent to the cloud protection service](#examples-of-metadata-sent-to-the-cloud-protection-service)).
 
-   1. After examining the metadata, if Microsoft Defender Antivirus cloud protection can't reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:
-   
-      1. **Send safe samples automatically** 
-         - Safe samples are samples considered to not commonly contain PII data like: .bat, .scr, .dll, .exe.
-         - If file is likely to contain PII, the user gets a request to allow file sample submission.
-         - This option is the default on Windows, macOS, and Linux.
-
-      1. **Always Prompt**
-         - If configured, the user is always prompted for consent before file submission
-         - This setting isn't available in macOS and Linux cloud protection
-                  
-      3. **Send all samples automatically**
-         - If configured, all samples are sent automatically
-         - If you would like sample submission to include macros embedded in Word docs, you must choose "Send all samples automatically"
-         - This setting isn't available on macOS cloud protection
-
-      1. **Do not send**
-         - Prevents "block at first sight" based on file sample analysis
-         - "Don't send" is the equivalent to the "Disabled" setting in macOS policy and "None" setting in Linux policy.
-         - Metadata is sent for detections even when sample submission is disabled
-
-   1. After files are submitted to cloud protection, the submitted files can be **scanned**, **detonated**, and processed through **big data analysis** **machine-learning** models to reach a verdict. Turning off cloud-delivered protection limits analysis to only what the client can provide through local machine-learning models, and similar functions.
+   2. After examining the metadata, if Microsoft Defender Antivirus cloud protection can't reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the setting configuration for sample submission, as described in the following table:
+
+      | Setting | Description |
+      |---|---|
+      | **Send safe samples automatically** | - Safe samples are samples considered to not commonly contain PII data. Examples include `.bat`, `.scr`, `.dll`, and `.exe`. <br/>- If file is likely to contain PII, the user gets a request to allow file sample submission.<br/>- This option is the default configuration on Windows, macOS, and Linux. |
+      | **Always Prompt** | - If configured, the user is always prompted for consent before file submission<br/>- This setting isn't available in macOS and Linux cloud protection |
+      | **Send all samples automatically** | - If configured, all samples are sent automatically<br/>- If you would like sample submission to include macros embedded in Word docs, you must choose **Send all samples automatically**<br/>- This setting isn't available on macOS cloud protection |
+      | **Do not send** | - Prevents "block at first sight" based on file sample analysis<br/>- "Don't send" is the equivalent to the "Disabled" setting in macOS policy and "None" setting in Linux policy.<br/>- Metadata is sent for detections even when sample submission is disabled |
+
+   3. After files are submitted to cloud protection, the submitted files can be **scanned**, **detonated**, and processed through **big data analysis** **machine-learning** models to reach a verdict. Turning off cloud-delivered protection limits analysis to only what the client can provide through local machine-learning models, and similar functions.
 
 > [!IMPORTANT]
 > [Block at first sight (BAFS)](configure-block-at-first-sight-microsoft-defender-antivirus.md) provides detonation and analysis to determine whether a file or process is safe. BAFS can delay the opening of a file momentarily until a verdict is reached. If you disable sample submission, BAFS is also disabled, and file analysis is limited to metadata only. We recommend keeping sample submission and BAFS enabled. To learn more, see [What is "block at first sight"?](configure-block-at-first-sight-microsoft-defender-antivirus.md#what-is-block-at-first-sight)
@@ -132,7 +120,7 @@ For more information, see the following resources:
 
 - [Azure Compliance Offerings](/azure/storage/common/storage-compliance-offerings) 
 - [Service Trust Portal](https://servicetrust.microsoft.com)
-- [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md#data-storage-location)
+- [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md)
 
 ## Other file sample submission scenarios