Merge pull request #1912 from MicrosoftDocs/main

Publish main to live, Friday 10:30AM PST, 11/15

Author: Stacyrch140

.acrolinx-config.edn

@@ -1,6 +1,6 @@
 {:changed-files-limit 60
  :allowed-branchname-matches ["main" "release-.*"]
- :allowed-filename-matches ["ATADocs/" "CloudAppSecurityDocs/" "exposure-management/" "defender/" "defender-business/" "defender-endpoint/" "defender-for-cloud/" "defender-for-iot/" "defender-office-365/" "defender-vulnerability-management/" "defender-xdr/"] ;; Can be overridden in repo-specific edn file. This is an allow list that identifies which folders contain the files Acrolinx will check. Separate multiple folders as follows ["folder/" "folder2"]
+ :allowed-filename-matches ["ATADocs/" "CloudAppSecurityDocs/" "defender/" "defender-business/" "defender-endpoint/" "defender-for-cloud/" "defender-for-iot/" "defender-office-365/" "defender-vulnerability-management/" "defender-xdr/" "exposure-management/" "unified-secops-platform/"] ;; Can be overridden in repo-specific edn file. This is an allow list that identifies which folders contain the files Acrolinx will check. Separate multiple folders as follows ["folder/" "folder2"]
 
 :use-gh-statuses true
 

defender-endpoint/android-whatsnew.md

@@ -14,7 +14,7 @@ ms.collection:
 ms.topic: reference
 ms.subservice: android
 search.appverid: met150
-ms.date: 08/26/2024
+ms.date: 11/15/2024
 ---
 
 # What's new in Microsoft Defender for Endpoint on Android
@@ -27,6 +27,19 @@ ms.date: 08/26/2024
 
 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
 
+**Ending support for Device Administrator enrolled devices**
+
+Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access to [Google Mobile Services](/mem/intune/apps/manage-without-gms) (GMS), beginning December 31, 2024.
+
+**For devices with access to GMS**
+
+After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: 
+
+- Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
+- Intune and Defender for Endpoint technical support will no longer support these devices.
+
+For more information, see [Tech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443).
+
 **Aug-2024 (version: 1.0.6812.0101)**
 
 - Network Protection feature is enabled by default for all users
@@ -115,7 +128,7 @@ Notify your users and helpdesk (as applicable) that users will need to accept th
 
 2. Tap **Begin**.
 
-3. Tap the toggle for **Allow access to manage all files.**
+1. Tap the toggle for **Allow access to manage all files.**
 
 4. The device is now protected.
 

defender-endpoint/evaluate-exploit-protection.md

@@ -15,7 +15,7 @@ ms.collection:
 - tier2
 - mde-asr
 search.appverid: met150
-ms.date: 12/18/2020
+ms.date: 11/15/2024
 ---
 
 # Evaluate exploit protection
@@ -31,7 +31,56 @@ ms.date: 12/18/2020
 
 [Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)
 
-In audit, you can see how mitigation works for certain apps in a test environment. This shows what *would* have happened if you enabled exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur.
+In audit, you can see how mitigation works for certain apps in a test environment. This shows what *would* happen if you enable exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur.
+
+## Generic guidelines
+
+Exploit protection mitigations work at a low level in the operating system, and some kinds of software that perform similar low-level operations might have compatibility issues when they're configured to be protected by using exploit protection.  
+
+#### What kinds of Software shouldn't be protected by exploit protection?
+
+- Anti-malware and intrusion prevention or detection software
+- Debuggers
+- Software that handles digital rights management (DRM) technologies (that is, video games)
+- Software that use anti-debugging, obfuscation, or hooking technologies
+
+#### What type of applications should you consider enabling exploit protection?
+
+Applications that receive or handle untrusted data.
+
+#### What type of processes are out of scope for exploit protection?
+
+Services
+
+- System services
+- Network services
+
+## Application compatibility list
+
+The following table lists specific products that have compatibility issues with the mitigations that are included in exploit protection. You must disable specific incompatible mitigations if you want to protect the product by using exploit protection. Be aware that this list takes into consideration the default settings for the latest versions of the product.  Compatibility issues can introduced when you apply certain add-ins or other components to the standard software.
+
+| Product | Exploit protection mitigation |
+| -------- | -------- |
+| .NET 2.0/3.5   | EAF/IAF   |
+| 7-Zip Console/GUI/File Manager   | EAF  |
+| AMD 62xx processors  | EAF   |
+| Avecto (Beyond Trust) Power Broker   | EAF, EAF+, Stack Pivot   |
+| Certain AMD (ATI) video drivers   | System ASLR=AlwaysOn   |
+| DropBox   | EAF  |
+| Excel Power Query, Power View, Power Map and PowerPivot   | EAF  |
+| Google Chrome   | EAF+   |
+| Immidio Flex+   | Cell 4   |
+| Microsoft Office Web Components (OWC)   | System DEP=AlwaysOn  |
+| Microsoft PowerPoint   | EAF   |
+| Microsoft Teams   | EAF+   |
+| Oracle Javaǂ  | Heapspray   |
+| Pitney Bowes Print Audit 6   | SimExecFlow  |
+| Siebel CRM version is 8.1.1.9  | SEHOP   |
+| Skype   | EAF  |
+| SolarWinds Syslogd Manager   | EAF  |
+| Windows Media Player   | MandatoryASLR, EAF|
+
+ǂ EMET mitigations might be incompatible with Oracle Java when they're run by using settings that reserve a large chunk of memory for the virtual machine (that is, by using the -Xms option).
 
 ## Enable exploit protection for testing
 
@@ -45,12 +94,14 @@ You can set mitigations in a testing mode for specific programs by using the Win
 
 3. Go to **Program settings** and choose the app you want to apply protection to:
 
-    1. If the app you want to configure is already listed, select it and then select **Edit**
-    2. If the app isn't listed at the top of the list select **Add program to customize**. Then, choose how you want to add the app.
-        - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
-        - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+   1. If the app you want to configure is already listed, select it and then select **Edit**.
+
+   2. If the app isn't listed at the top of the list select **Add program to customize**. Then, choose how you want to add the app.
 
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in test mode only. You'll be notified if you need to restart the process, app, or Windows.
+      - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
+      - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
+
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** applies the mitigation in test mode only. You're notified if you need to restart the process, app, or Windows.
 
 5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
 
@@ -93,7 +144,7 @@ You can disable **audit mode** by replacing `-Enable` with `-Disable`.
 
 ## Review exploit protection audit events
 
-To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.<br/><br/>
+To review which apps would be blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
 
 |Feature|Provider/source|Event ID|Description|
 |---|---|--|---|
@@ -110,4 +161,5 @@ To review which apps would have been blocked, open Event Viewer and filter for t
 - [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
 - [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
 - [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/run-analyzer-macos.md

@@ -9,7 +9,7 @@ ms.service: defender-endpoint
 ms.subservice: macos
 ms.localizationpriority: medium
 ms.topic: troubleshooting-general
-ms.date: 11/01/2024
+ms.date: 11/15/2024
 ms.custom: partner-contribution
 ms.collection:
 - m365-security
@@ -86,50 +86,62 @@ The tool currently requires Python version 3 or later to be installed on your de
 1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the Mac machine you're investigating.
 
    If you're using a terminal, download the tool by running the following command:
-
+   
       ```bash
    wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer
-   ```
-
-2. Verify the download. 
+      ```
+      
+1. Verify the download. 
 
    | OS | Command |
    |--|--|
-   | Linux | `echo '84C9718FF3D29DA0EEE650FB2FC0625549A05CD1228AC253DBB92C8B1D9F1D11 XMDEClientAnalyzer.zip' | sha256sum -c` |
-   | macOS | `echo '84C9718FF3D29DA0EEE650FB2FC0625549A05CD1228AC253DBB92C8B1D9F1D11  XMDEClientAnalyzer.zip' | shasum -a 256 -c` |
-
-3. Extract the contents of `XMDEClientAnalyzer.zip` on the machine. 
+   | Linux | `echo '84C9718FF3D29DA0EEE650FB2FC0625549A05CD1228AC253DBB92C8B1D9F1D11 XMDEClientAnalyzer.zip'| sha256sum -c` |
+   | macOS | `echo '84C9718FF3D29DA0EEE650FB2FC0625549A05CD1228AC253DBB92C8B1D9F1D11  XMDEClientAnalyzer.zip'| shasum -a 256 -c` |
+   
+1. Extract the contents of `XMDEClientAnalyzer.zip` on the machine. 
 
    If you're using a terminal, extract the files by using the following command:
-
+   
    ```bash
    unzip -q XMDEClientAnalyzer.zip -d XMDEClientAnalyzer
    ```
-
-4. Change directory to the extracted location.
+   
+1. Change directory to the extracted location.
 
    ```bash
    cd XMDEClientAnalyzer
    ```
-
-5. Give the tool executable permission:
+   
+1. Give the tool executable permission:
 
    ```bash
    chmod a+x mde_support_tool.sh
    ```
-
-6. Run as a nonroot user to install required dependencies:
+   
+1. Run as a nonroot user to install required dependencies:
 
    ```bash
    ./mde_support_tool.sh
    ```
+   
+1. When you download files on macOS, it automatically adds a new extended attribut called com.apple.quarantine which is scanned by Gatekeeper.  Before running, you will want to remove this extended attribute:
+
+   ```bash
+   xattr -c MDESupportTools
+   ```
+
+   Otherwise you might get the following warning:
+
+      "You might get a "MDESupportTool" Not Opened
+
+      Apple could not verify "MDESupportTool" is free of malware that may harm your Mac or compromise your privacy"
 
 1. To collect actual diagnostic package and generate the result archive file, run again as root:
 
-      ```bash
+   ```bash
    sudo ./mde_support_tool.sh -d
    ```
-
+      
 ## Command line options
 
 ### Primary command lines

defender-xdr/TOC.yml

@@ -302,6 +302,8 @@
                   href: advanced-hunting-cloudappevents-table.md
                 - name: CloudAuditEvents
                   href: advanced-hunting-cloudauditevents-table.md
+                - name: CloudProcessEvents
+                  href: advanced-hunting-cloudprocessevents-table.md                  
                 - name: DeviceEvents
                   href: advanced-hunting-deviceevents-table.md
                 - name: DeviceFileCertificateInfo

defender-xdr/advanced-hunting-cloudprocessevents-table.md

@@ -0,0 +1,94 @@
+---
+title: CloudProcessEvents table in the advanced hunting schema
+description: Learn about the CloudProcessEvents table in the advanced hunting schema, which contains information about process events in multicloud hosted environments.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords:
+  - NOCSH
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 11/11/2024
+---
+
+# CloudProcessEvents (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+**Applies to:**
+- Microsoft Defender XDR
+
+The `CloudProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process events in multicloud hosted environments such as Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine. Use this reference to construct queries that return information from this table.
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `Timestamp` | `datetime` | Date and time when the event was recorded |
+| `AzureResourceId` | `string` | 	Unique identifier of the Azure resource associated with the process |
+| `AwsResourceName` | `string` | Unique identifier specific to Amazon Web Services devices, containing the Amazon resource name|
+| `GcpFullResourceName` | `string` | Unique identifier specific to Google Cloud Platform devices, containing a combination of zone and ID for GCP |
+| `ContainerImageName` | `string` | UThe container image name or ID, if it exists |
+| `KubernetesNamespace` | `string` | The Kubernetes namespace name |
+| `KubernetesPodName` | `string` | The Kubernetes pod name | 	
+| `KubernetesResource` | `string` | Identifier value that includes namespace, resource type and name | 	 
+| `ContainerName` | `string` | Name of the container in Kubernetes or another runtime environment | 	 
+| `ContainerId`	 | `string` | The container identifier in Kubernetes or another runtime environment|  	 
+| `ActionType` | `string` | Type of activity that triggered the event. See the in-portal schema reference for details.| 	 
+| `FileName` | `string` | Name of the file that the recorded action was applied to | 	 
+| `FolderPath` | `string` | Folder containing the file that the recorded action was applied to| 	 
+| `ProcessId` | `long` | Process ID (PID) of the newly created process | 	 
+| `ProcessName` | `string` | The name of the process  | 	 
+| `ParentProcessName` | `string` | The name of the parent process | 	 
+| `ParentProcessId` | `string` | The process ID (PID) of the parent process| 	 
+| `ProcessCommandLine` | `string` | Command line used to create the new process| 	 
+| `ProcessCreationTime` | `datetime` | Date and time the process was created | 	 
+| `ProcessCurrentWorkingDirectory` | `string` | Current working directory of the running process | 	 
+| `AccountName` | `string` | User name of the account | 	 
+| `LogonId` | `long` | Identifier for a logon session. This identifier is unique on the same pod or container between restarts.	| 	 
+| `InitiatingProcessId` | `string` | Process ID (PID) of the process that initiated the event | 	 
+| `AdditionalFields` | `string` | Additional information about the event in JSON array format | 	 
+
+
+## Sample queries
+
+You can use this table to get detailed information on processes invoked in a cloud environment. The information is useful in hunting scenarios and can discover threats that can be observed through process details, like malicious processes or command-line signatures. 
+
+You can also investigate security alerts provided by Defender for Cloud that make use of the cloud process events data in advanced hunting to understand details in the process tree for processes that include a security alert.
+
+### Process events by command-line arguments
+To hunt for process events including a given term (represented by "x" in the query below) in the command-line arguments:
+
+```kusto
+CloudProcessEvents | where ProcessCommandLine has "x"
+```
+
+### Rare process events for a pod in a Kuberentes cluster
+To investigate unusual process events invoked as part of a pod in a Kubernetes cluster: 
+
+```kusto
+CloudProcessEvents | where AzureResourceId = "x" and KubernetesNamespace = "y" and KubernetesPodName = "z" | summarize count() by ProcessName | top 10 by count_ asc
+```
+
+## Related topics
+
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+

defender-xdr/advanced-hunting-schema-tables.md

@@ -61,7 +61,8 @@ The following reference lists all the tables in the schema. Each table name link
 | **[BehaviorEntities](advanced-hunting-behaviorentities-table.md)** (Preview) | Behavior data types in Microsoft Defender for Cloud Apps (not available for GCC) |
 | **[BehaviorInfo](advanced-hunting-behaviorinfo-table.md)** (Preview) | Alerts from Microsoft Defender for Cloud Apps (not available for GCC) |
 | **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)** | Events involving accounts and objects in Office 365 and other cloud apps and services |
-| **[CloudAuditEvents](advanced-hunting-cloudauditevents-table.md)** | Cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud |
+| **[CloudAuditEvents](advanced-hunting-cloudauditevents-table.md)** (Preview) | Cloud audit events for various cloud platforms protected by the organization's Microsoft Defender for Cloud |
+| **[CloudProcessEvents](advanced-hunting-cloudprocessevents-table.md)** (Preview)| Cloud process events for various cloud platforms protected by the organization's Microsoft Defender for Containers |
 | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |
 | **[DeviceFileCertificateInfo](advanced-hunting-DeviceFileCertificateInfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
 | **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events |