Merge branch 'main' into patch-5

Author: denisebmsft

defender-endpoint/behavior-monitor-macos.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date: 01/02/2025
+ms.date: 05/15/2025
 ms.subservice: ngp
 audience: ITPro
 ms.collection:
@@ -116,18 +116,7 @@ The following sections describe each of these methods in detail.
                    <dict>
                    <key>behaviorMonitoring</key>
                    <string>enabled</string>
-                   <key>behaviorMonitoringConfigurations</key>
-                   <dict>
-                   <key>blockExecution</key>
-                   <string>enabled</string>
-                   <key>notifyForks</key>
-                   <string>enabled</string>
-                   <key>forwardRtpToBm</key>
-                   <string>enabled</string>
-                   <key>avoidOpenCache</key>
-                   <string>enabled</string>
-                                    </dict>
-                       </dict>
+                   </dict>
                </dict>
            </array>
        </dict>
@@ -162,22 +151,11 @@ The following sections describe each of these methods in detail.
                    <key>behaviorMonitoring</key>
                    <string>enabled</string>
                </dict>
-                   <key>features</key>
-                        <dict>
-                            <key>behaviorMonitoring</key>
-                            <string>enabled</string>
-                            <key>behaviorMonitoringConfigurations</key>
-                                <dict>
-                                    <key>blockExecution</key>
-                                    <string>enabled</string>
-                                    <key>notifyForks</key>
-                                    <string>enabled</string>
-                                    <key>forwardRtpToBm</key>
-                                    <string>enabled</string>
-                                    <key>avoidOpenCache</key>
-                                    <string>enabled</string>
-                                </dict>
-                        </dict>
+           <key>features</key>
+               <dict>
+                   <key>behaviorMonitoring</key>
+                   <string>enabled</string>
+               </dict>
        </dict>
    </plist>
    ```
@@ -219,14 +197,42 @@ sudo mdatp threat list
 
 ```
 
-### Frequently Asked Questions (FAQ)
+### Frequently asked questions (FAQ)
+
+#### What if I see an increase in CPU utilization or memory utilization?
+
+Disable behavior monitoring and see if the issue goes away. If the issue doesn't go away, it isn't related to behavior monitoring.
+
+If the issue goes away, re-enable behavior monitoring and use behavior monitoring statistics to identify and exclude processes generating excessive events:
+
+```bash
+sudo mdatp config behavior-monitoring-statistics --value enabled
+```
+
+Repro the issue and then execute:
+
+```bash
+sudo mdatp diagnostic behavior-monitoring-statistics --sort
+```
+
+This command lists processes running on the machine which are reporting behavior monitoring events to the engine process. The more events, the more CPU/memory impact that process has.
 
-#### What if I see an increase in cpu utilization or memory utilization?
+Exclude identified processes using:
 
-Disable behavior monitoring and see if the issue goes away.
+```bash
+sudo mdatp exclusion process add --path <path to process with lots of events>
+```
+
+> [!IMPORTANT]
+> Please verify the reliability of the processes being excluded. Excluding these processes will prevent all events from being sent to behavior monitoring and from undergoing content scanning. However, EDR will continue to receive events from these processes. It is important to note that this mitigation is unlikely to reduce CPU usage of the `wdavdaemon` or `wdavdaemon_enterprise` processes, but may affect `wdavdaemon_unprivileged`. If the other two processes are also experiencing high CPU usage, behavior monitoring may not be the sole cause, and contacting Microsoft support is recommended.
+
+Once done, disable behavior monitoring statistics:
+
+```bash
+sudo mdatp config behavior-monitoring-statistics --value disabled
+```
 
-- If the issue doesn't go away, it isn't related to behavior monitoring.
-- If the issue goes away, download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer), and then contact Microsoft support.
+If the issue persists, download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer), and then contact Microsoft support.
 
 ## Network real-time inspection for macOS
 

defender-endpoint/enable-network-protection.md

@@ -3,7 +3,7 @@ title: Turn on network protection
 description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager.
 ms.service: defender-endpoint
 ms.localizationpriority: medium
-ms.date: 05/13/2025
+ms.date: 05/15/2025
 ms.topic: conceptual
 author: emmwalshh
 ms.author: ewalsh
@@ -192,7 +192,7 @@ Use the following procedure to enable network protection on domain-joined comput
 
    | Windows Server version | Commands |
    |---|---|
-   |Windows Server 2019 and later | `set-mpPreference -AllowNetworkProtectionOnWinServer $true` |
+   |Windows Server 2019 and later | `set-mpPreference -AllowNetworkProtectionOnWinServer $true` <br/> `set-MpPreference -AllowDatagramProcessingOnWinServer $true`|
    |Windows Server 2016 <br/>Windows Server 2012 R2 with the [unified agent for Microsoft Defender for Endpoint](/defender-endpoint/enable-network-protection) | `set-MpPreference -AllowNetworkProtectionDownLevel $true` <br/> `set-MpPreference -AllowNetworkProtectionOnWinServer $true` <br/> `set-MpPreference -AllowDatagramProcessingOnWinServer $true`|
 
    > [!IMPORTANT]

defender-endpoint/gov.md

@@ -158,6 +158,7 @@ These are the known gaps:
 |Microsoft Secure Score|![Yes](media/svg/check-yes.svg)<br/>See note following this table|![Yes](media/svg/check-yes.svg)|![Yes](media/svg/check-yes.svg)|
 |Microsoft Threat Experts|![No](media/svg/check-no.svg)|![No](media/svg/check-no.svg)|![No](media/svg/check-no.svg)|
 |Microsoft Defender for Endpoint Security Configuration Management|![No](media/svg/check-no.svg)|![No](media/svg/check-no.svg)|![No](media/svg/check-no.svg)|
+|Microsoft Defender for IoT enterprise IoT security|![No](media/svg/check-no.svg)|![No](media/svg/check-no.svg)|![No](media/svg/check-no.svg)|
 
 > [!NOTE]
 > While Microsoft Secure Score is available for GCC, GCC High and DoD customers, there are some security recommendations that aren't available.

defender-endpoint/indicator-file.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 03/04/2025
+ms.date: 05/16/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -58,7 +58,7 @@ Understand the following prerequisites before you create indicators for files:
 - This feature is available if your organization uses [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) (in active mode) 
 - The antimalware client version must be `4.18.1901.x` or later. See [Monthly platform and engine versions](microsoft-defender-antivirus-updates.md#platform-and-engine-releases)
 - This feature is supported on devices running Windows 10, version 1703 or later, Windows 11, Windows Server 2012 R2, Windows Server 2016 or later, Windows Server 2019, Windows Server 2022, and Windows Server 2025.
-- File hash computation is enabled, by setting `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\` to **Enabled**
+- File hash computation is enabled by setting `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable File Hash Computation` to **Enabled**. Or, you can run the following PowerShell command: `Set-MpPreference -EnableFileHashComputation $true`
 
 > [!NOTE]
 > File indicators support portable executable (PE) files, including `.exe` and `.dll` files only.
@@ -91,9 +91,6 @@ Understand the following prerequisites before you create indicators for files:
    - Action: Specify the action to be taken and provide a description.
    - Scope: Define the scope of the device group (scoping isn't available in [Defender for Business](/defender-business/mdb-overview)).
 
-   > [!NOTE]
-   > Device Group creation is supported in both Defender for Endpoint Plan 1 and Plan 2
-
 5. Review the details in the Summary tab, then select **Save**.
 
 ## Create a contextual indicator from the file details page
@@ -124,7 +121,7 @@ The current supported actions for file IOC are allow, audit and block, and remed
    :::image type="content" source="media/indicators-generate-alert.png" alt-text="The Alert settings for file indicators" lightbox="media/indicators-generate-alert.png":::
 
    > [!IMPORTANT]
-   > - Typically, file blocks are enforced and removed within15 minutes, average 30 minutes but can take upwards of 2 hours.
+   > - Typically, file blocks are enforced and removed within 15 minutes, average 30 minutes but can take upwards of 2 hours.
    > - If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash 
    IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
    > - In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
@@ -147,7 +144,7 @@ Timestamp > ago(30d)
 
 For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](/defender-xdr/advanced-hunting-overview).
 
-Here are other thread names that can be used in the sample query:
+Here are other threat names that can be used in the sample query:
 
 Files:
 
@@ -201,9 +198,13 @@ Microsoft Defender Vulnerability Management's block vulnerable application featu
 ## See also
 
 - [Create indicators](indicators-overview.md)
+
 - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
+
 - [Create indicators based on certificates](indicator-certificates.md)
+
 - [Manage indicators](indicator-manage.md)
+
 - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]

defender-endpoint/run-analyzer-linux.md

@@ -9,7 +9,7 @@ ms.service: defender-endpoint
 ms.subservice: linux
 ms.localizationpriority: medium
 ms.topic: troubleshooting-general
-ms.date: 05/14/2025
+ms.date: 05/15/2025
 ms.custom: partner-contribution
 ms.collection:
 - m365-security
@@ -45,7 +45,7 @@ If you have issues with Microsoft Defender for Endpoint on Linux and need suppor
 2. Verify the download.
 
     ```bash
-    echo '4D3073F252667AC87F1229163677CB6843E0454AC4F33A526D7F55DDAA5E09E3 XMDEClientAnalyzerBinary.zip' | sha256sum -c
+    echo '24F0A3BFC9B2CF41893A1C867AE6D1B6B79250F24D15DBA0B080B7083F78CA81 XMDEClientAnalyzerBinary.zip' | sha256sum -c
     ```
 
 3. Extract the contents of `XMDEClientAnalyzerBinary.zip` on the machine.

defender-endpoint/run-analyzer-macos.md

@@ -9,7 +9,7 @@ ms.service: defender-endpoint
 ms.subservice: macos
 ms.localizationpriority: medium
 ms.topic: troubleshooting-general
-ms.date: 05/14/2025
+ms.date: 05/15/2025
 ms.custom: partner-contribution
 ms.collection:
 - m365-security
@@ -43,7 +43,7 @@ If you're experiencing reliability or device health issues with Microsoft Defend
 2. Verify the download.
 
    ```bash
-   echo '4D3073F252667AC87F1229163677CB6843E0454AC4F33A526D7F55DDAA5E09E3  XMDEClientAnalyzerBinary.zip' | shasum -a 256 -c
+   echo '24F0A3BFC9B2CF41893A1C867AE6D1B6B79250F24D15DBA0B080B7083F78CA81  XMDEClientAnalyzerBinary.zip' | shasum -a 256 -c
    ```
 
 3. Extract the contents of `XMDEClientAnalyzerBinary.zip` on the machine. 

defender-office-365/anti-spam-protection-about.md

@@ -145,7 +145,7 @@ These settings aren't configured in the default anti-spam policy by default, or
 
   ² For **High confidence phishing**, the **Move message to Junk Email folder** action is effectively deprecated. Although you might be able to select the **Move message to Junk Email folder** action, high confidence phishing messages are always quarantined (equivalent to selecting **Quarantine message**).
 
-  ³ You can use this value as a condition in [Mail flow rules in Exchange Server](/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rules) to filter or route messages for mailboxes in on-premises Exchange environments.
+  ³ You can use this value as a condition in [Mail flow rules in Exchange Server](/exchange/policy-and-compliance/mail-flow-rules/mail-flow-rules) to filter or route messages for mailboxes in on-premises Exchange environments only (not in Exchange Online).
 
   ⁴ If the spam filtering verdict quarantines messages by default (**Quarantine message** is already selected when you get to the page), the default quarantine policy name is shown in the **Select quarantine policy** box. If you _change_ the action of a spam filtering verdict to **Quarantine message**, the **Select quarantine policy** box is blank by default. A blank value means the default quarantine policy for that verdict is used. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown. For more information about the quarantine policies that are used by default for spam filter verdicts, see [EOP anti-spam policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-spam-policy-settings).
 

defender-xdr/advanced-hunting-overview.md

@@ -65,8 +65,13 @@ Also, your access to endpoint data is determined by role-based access control (R
 ## Data freshness and update frequency
 Advanced hunting data can be categorized into two distinct types, each consolidated differently.
 
-- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to the corresponding cloud services. For example, you can query event data from healthy sensors on workstations or domain controllers almost immediately after they are available on Microsoft Defender for Endpoint and Microsoft Defender for Identity.
-- **Entity data**—populates tables with information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
+### **Event or activity data**
+Event or activity data populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to the corresponding cloud services. For example, you can query event data from healthy sensors on workstations or domain controllers almost immediately after they are available on Microsoft Defender for Endpoint and Microsoft Defender for Identity. 
+
+To collect even more event properties, you have the option of turning on [aggregated reporting](/defender-endpoint/aggregated-reporting).
+
+### **Entity data**
+Entity data populates tables with information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
 
 
 ## Time zone

defender-xdr/configure-attack-disruption.md

@@ -9,7 +9,7 @@ audience: ITPro
 ms.topic: how-to
 ms.service: defender-xdr
 ms.localizationpriority: medium
-ms.date: 04/25/2025
+ms.date: 05/15/2025
 ms.collection:
 - m365-security
 - tier2
@@ -45,6 +45,8 @@ The following are prerequisites for configuring automatic attack disruption in M
 The Minimum Sense Agent version required for the **Contain User** action to work is v10.8470. You can identify the Sense Agent version on a device by running the following PowerShell command: 
 
 > Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\' -Name "InstallLocation"
+> or
+> Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status' -Name "MsSenseDllVersion"
 
 #### Automation setting for your organizations devices
 

defender-xdr/custom-detection-rules.md

@@ -170,7 +170,7 @@ Once you click **Save**, the selected rules' frequency gets updated to Continuou
 You can run a query continuously as long as:
 
 - The query references one table only.
-- The query uses an operator from the list of supported KQL operators. **[Supported KQL features](/azure/azure-monitor/essentials/data-collection-transformations-structure#supported-kql-features)**
+- The query uses an operator from the list of **[Supported KQL features](/azure/azure-monitor/essentials/data-collection-transformations-structure#supported-kql-features)**. (For    `matches regex`, regular expressions must be encoded as string literals and follow the string quoting rules. For example, the regular expression `\A` is represented in KQL as `"\\A"`. The extra backslash indicates that the other backslash is part of the regular expression `\A`.)
 - The query doesn't use joins, unions, or the `externaldata` operator.
 - The query doesn't include any comments line/information.